Page | 1
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
The training environment provided to you is only for use during the OneTrust Certification Training Program.
You will only have access to login for the duration of training.
Training URL: training.onetrust.com
Please refer to your instructor for the password to your environment.
Disclaimer
No part of this document may be reproduced in any form without the written permission of the copyright
owner.
The contents of this document are subject to revision without notice due to continued progress in
methodology, design, and manufacturing. OneTrust LLC shall have no liability for any error or damage of any
kind resulting from the use of this document.
OneTrust products, content, and materials are for informational purposes only and not for the purpose of
providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue.
OneTrust materials do not guarantee compliance with applicable laws and regulations.
Page | 2
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Contents
OneTrust GRC Certification Program Reference Guide ..................................................................................................................................... 6
Introduction ...................................................................................................................................................................................................... 6
Claiming Your OneTrust Badges ........................................................................................................................................................................ 7
Handbook Tips................................................................................................................................................................................................... 8
Using the Table of Contents ................................................................................................................................................................ 8
Using Exercise Hyperlinks ................................................................................................................................................................... 8
Resources & Support ......................................................................................................................................................................................... 9
Sales .................................................................................................................................................................................................... 9
Technical Support ............................................................................................................................................................................... 9
Partner Support .................................................................................................................................................................................. 9
My OneTrust ....................................................................................................................................................................................... 9
Tenant Support Request ................................................................................................................................................................... 10
Terminology & Frameworks Overview ............................................................................................................................................................ 11
What is Governance? ........................................................................................................................................................................ 11
What is Risk? ..................................................................................................................................................................................... 11
What is Compliance? ........................................................................................................................................................................ 11
Security Standards/Framework ........................................................................................................................................................ 12
Controls Library ................................................................................................................................................................................. 12
Control Implementations .................................................................................................................................................................. 12
Commonly Used Frameworks ........................................................................................................................................................... 12
Organizations, Roles, & Users ......................................................................................................................................................................... 13
Adding a User Exercise ...................................................................................................................................................................... 13
IT Risk Management: Elements & Inventories ................................................................................................................................................ 14
Overview ........................................................................................................................................................................................... 14
Elements ............................................................................................................................................................................. 14
Inventories .......................................................................................................................................................................... 15
Best Practices .................................................................................................................................................................................... 16
Execution .......................................................................................................................................................................................... 17
Risk Scoring Methodology .................................................................................................................................................. 17
Adding Controls .................................................................................................................................................................. 17
Create an Asset & Processing Activity ................................................................................................................................ 17
Prepare for Common Risks ................................................................................................................................................. 17
IT Risk Management: Assessment & Risk Management ................................................................................................................................. 18
Overview ........................................................................................................................................................................................... 18
Regulation Example ............................................................................................................................................................ 18
Assessment & Risk Lifecycle ............................................................................................................................................... 18
Best Practices .................................................................................................................................................................................... 19
Execution .......................................................................................................................................................................................... 19
Delivering Assessments ...................................................................................................................................................... 19
Managing Risks ................................................................................................................................................................... 19
Configure Automation Rule ................................................................................................................................................ 20
Vendor Risk Management ............................................................................................................................................................................... 21
Overview ........................................................................................................................................................................................... 21
Best Practices .................................................................................................................................................................................... 21
Execution .......................................................................................................................................................................................... 22
Page | 3
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Add Vendor via Exchange ................................................................................................................................................... 22
Create a Custom Vendor Workflow .................................................................................................................................... 22
Add an Engagement............................................................................................................................................................ 22
Create a Report................................................................................................................................................................... 23
Offboarding a Vendor ......................................................................................................................................................... 23
Enterprise Policy Management ....................................................................................................................................................................... 24
Overview ........................................................................................................................................................................................... 24
What do policies do? .......................................................................................................................................................... 24
Why do we need them? ..................................................................................................................................................... 24
Policy Workflow .................................................................................................................................................................. 24
Best Practices .................................................................................................................................................................................... 25
Execution .......................................................................................................................................................................................... 25
Add a Policy ........................................................................................................................................................................ 25
Adding Controls to a Policy ................................................................................................................................................. 25
Relate a Vendor .................................................................................................................................................................. 25
Create an Automation Rule ................................................................................................................................................ 26
Incidents Management ................................................................................................................................................................................... 27
Overview ........................................................................................................................................................................................... 27
Best Practices .................................................................................................................................................................................... 28
Execution .......................................................................................................................................................................................... 28
Register an Incident ............................................................................................................................................................ 28
Create Incident Workflow .................................................................................................................................................. 28
Create a New Attribute & Link it to a New Web Form ....................................................................................................... 29
Link Incident to a Risk ......................................................................................................................................................... 29
Audit Management ......................................................................................................................................................................................... 30
Overview ........................................................................................................................................................................................... 30
Objective ............................................................................................................................................................................. 30
Best Practices .................................................................................................................................................................................... 30
Execution .......................................................................................................................................................................................... 31
Add a New Audit ................................................................................................................................................................. 31
Add a New Attribute & Complete a Workpaper ................................................................................................................. 32
Remediate a Finding ........................................................................................................................................................... 32
Create an Audit Report ....................................................................................................................................................... 32
Glossary ........................................................................................................................................................................................................... 33
A ........................................................................................................................................................................................................ 33
B ........................................................................................................................................................................................................ 33
C ........................................................................................................................................................................................................ 33
D ........................................................................................................................................................................................................ 34
E ........................................................................................................................................................................................................ 34
F ........................................................................................................................................................................................................ 34
G ........................................................................................................................................................................................................ 34
I ......................................................................................................................................................................................................... 34
N ........................................................................................................................................................................................................ 35
P ........................................................................................................................................................................................................ 35
R ........................................................................................................................................................................................................ 35
S ........................................................................................................................................................................................................ 35
T ........................................................................................................................................................................................................ 35
V ........................................................................................................................................................................................................ 35
Page | 4
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
W ....................................................................................................................................................................................................... 36
Detailed Exercise Steps ................................................................................................................................................................................... 37
Users & Roles .................................................................................................................................................................................... 37
Create a New User .............................................................................................................................................................. 37
IT Risk Management: Elements & Inventories .................................................................................................................................. 37
Ex 1 Risk Scoring Methodology ........................................................................................................................................... 37
Ex 2 Adding Controls ........................................................................................................................................................... 37
Ex 3 Populate Asset & Processing Activity Inventories ....................................................................................................... 38
Ex 4: Prepare for Common Risks ......................................................................................................................................... 38
IT Risk Management: Assessment & Risk Management ................................................................................................................... 39
Ex 1 Launching & Completing an Assessment .................................................................................................................... 39
Ex 2 Managing Risks............................................................................................................................................................ 40
Ex 3 Configure Automation Rules ....................................................................................................................................... 40
Vendor Risk Management ................................................................................................................................................................ 41
Ex 1 Populate Vendor Inventory ......................................................................................................................................... 41
Ex 2 Onboarding Workflow ................................................................................................................................................. 41
Ex 3 Create an Engagement ................................................................................................................................................ 41
Ex 4 Creating a Report ........................................................................................................................................................ 42
Ex 5 Offboard a Vendor ...................................................................................................................................................... 42
Enterprise Policy Management ......................................................................................................................................................... 43
Ex 1 Add a Policy ................................................................................................................................................................. 43
Ex 2 Add Controls to Enforce a Policy ................................................................................................................................. 43
Ex 3 Relate Vendors to Policy ............................................................................................................................................. 44
Ex 4 Automate Reminder for Expiring Policies ................................................................................................................... 44
Incidents Management ..................................................................................................................................................................... 44
Ex 1 Register an Incident .................................................................................................................................................... 44
Ex 2 Create a Workflow ...................................................................................................................................................... 45
Ex 3 Create a New Attribute & Link it to a New Web Form ................................................................................................ 45
Ex 4 Link Incidents with Risk ............................................................................................................................................... 46
Audit Management ........................................................................................................................................................................... 46
Ex 1 Configure new Workflow and add a New Audit .......................................................................................................... 46
Ex 2 Create a Workpaper with New Attributes .................................................................................................................. 47
Ex 3 Remediating a Finding ................................................................................................................................................. 48
Ex 4 Create an Audit Report ............................................................................................................................................... 48
Page | 5
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
OneTrust GRC Certification Program Reference
Guide
Prepared For:
OneTrust GRC Professional Certification Attendees
Version 7.0
Introduction
Welcome to the OneTrust GRC Certification Program Reference Guide, your comprehensive guide to
becoming a certified OneTrust GRC professional.
While OneTrust is the leading global software to operationalize data privacy compliance and Privacy by
Design, OneTrust also offers a Governance, Risk, and Compliance Solution (GRC). OneTrust GRC Integrated
Risk Management is a suite of integrated risk management products to identify, measure, mitigate, monitor,
and report on risk across operations.
Page | 6
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Claiming Your OneTrust Badges
Page | 7
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Handbook Tips
Using the Table of Contents
Clicking a row will bring
you directly to that
location!
Using Exercise Hyperlinks
Each exercise will have an
overview of the functionality’s
importance.
Clicking the blue “here” will
bring you to detailed steps of
how to complete the exercise.
The blue header of that exercise
can then be clicked to return to
the overview section you were
previously at.
Page | 8
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Resources & Support
Sales
•
•
Email: sales@onetrust.com
Phone Numbers
o London: +44 (800) 011-9778
o Atlanta: +1 (844) 228-4440
o Munich: +49 (175) 371-2983
Technical Support
•
•
Email: support@onetrust.com
Phone Number: +1 (844) 900-0472
Partner Support
•
Email: partnersupport@onetrust.com
This partner support can assist with:
1. Scheduling Client Demonstrations
2. Submitting an RFI/RFP with OneTrust
3. Client Referrals
4. Account Strategy & Alignment
5. Additional Resources and Collateral
Other resources include:
1. Product Demonstration Videos
2. OneTrust Overview Brochure
3. How OneTrust Helps with GDPR Whitepaper
4. SmartPrivacy Workshops Registration
5. OneTrust Pricing Model
My OneTrust
•
Website: my.OneTrust.com
My OneTrust is a platform that can be accessed by all OneTrust customers for additional resources which
include, but it not limited to:
1. OneTrust Knowledgebase
2. Release Notes
3. Scheduled Maintenance
4. Live System Status
5. Submit a Ticket
6. Developer Portal
7. Get OneTrust Certified
Page | 9
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Tenant Support Request
You can submit a support desk ticket directly to the OneTrust Support Team through your tenant by
following these steps:
1. Log into OneTrust
2. Click the Launch Pad in the top left corner then select “Get Help” in the bottom right
3. Fill out your inquiry in the message portal that pops up and click “Send”
Page | 10
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Terminology & Frameworks Overview
What is Governance?
Governance is defined as the way rules, norms, and actions are structured, sustained, regulated, and held
accountable.
What is Risk?
Risk is defined as the possibility or chance of loss, adverse effect(s), danger, or injury.
What is Compliance?
Compliance is the act of ensuring your company and employees follow the laws, regulations, standards,
and ethical practices that apply to your organization.
Page | 11
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Security Standards/Framework
•
A series of documented processes that are used to define policies and procedures around the
implementation and ongoing management of information security controls in an enterprise
environment.
Controls Library
•
Includes controls from recognized frameworks and custom controls which your organization can
use to evaluate and describe the security and privacy requirements you have for vendors within the
OneTrust application.
Control Implementations
•
•
Safeguards or countermeasure to avoid, detect, counteract, or minimize security risks to physical
property, information, computer systems, or other assets.
An organization can use controls to evaluate and describe the security and privacy requirements
necessary for vendors.
Commonly Used Frameworks
Page | 12
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Organizations, Roles, & Users
Organizations, Roles, and Users are the settings that will impact the user experience in the system. When
creating a new User, in which an individual will require to log into the platform, that user must be associated
with at least one of each of the following:
• Organization – controls what data the user will have access to
o Organizations are configured in a hierarchical tree
• Role – controls what modules and processes the user will have access to
o Roles are individually configured with many base roles pre-configured in the system. Each role
is given specific permissions which can be filtered by module.
Adding a User Exercise
Adding users appropriately is important. Their access should be balanced - restricted enough so they can’t
see or interact with data in ways outside of their responsibility, while not too restricted to where they are
unable to perform their job. This balance is able to met by proper user association of Roles and
Organizations.
Click here for detailed steps on how to complete this exercise.
Page | 13
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
IT Risk Management: Elements &
Inventories
IT Risk Management is defined as the set of Policies, Procedures, as well as the technology that an
organization puts into place to reduce threats, vulnerabilities, and other results caused by having
unprotected data. OneTrust can assist our customers’ IT Risk Management efforts by supplying efficient
tools to define and track risks to apply mitigating measures towards those risks. This chapter focuses on
anticipating common risks that your organization may face and preparing the tool to be ready to manage
these risks by thoroughly configuring your Controls Library, Elements, and Inventories.
Overview
Elements
Elements of Risk Management
MITIGATION
Risk, Threat, Vulnerability and Control
RISK
ASSET
RISK
THREAT
RISK
•
•
•
•
•
VULNERABILITY
CONTROL
VULNERABILITY
CONTROL
VULNERABILITY
CONTROL
ASSET
IMPACT
RISK INITIATOR
OPPORTUNITY
Item of value to the
business
Risk: The potential for
loss, damage or
destruction of an asset
as a result of a threat
exploiting a
vulnerability
Threat: Anything that
can exploit a
vulnerability,
intentionally or
accidentally, and
obtain, damage, or
destroy an asset
Vulnerability:
Weaknesses or gaps in
a security program that
can be exploited by
threats to gain
unauthorized access to
an asset
COMPENSATING
MEASURES
Control: An attribute or
element (real or
conceptual) that acts as
a mitigating factor to
reduce risk
An ASSET is an item of value to your business.
A RISK is a potential for loss, damage, or destruction of an asset as a result of a threat exploiting a
vulnerability.
A THREAT is anything that can exploit a vulnerability, either intentionally or accidentally, and obtain
damage or destroy an asset.
VULNERABILITIES can be defined as weaknesses or gaps in a security program that can be exploited
by threats to gain unauthorized access to an asset.
A CONTROL can be defined as an attribute or element (either real or conceptual) that acts as a
mitigating factor to reduce risk.
Page | 14
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Elements Example
Inventories
Page | 15
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Best Practices
-
-
-
Risks are associated with inventory items (assets, processing activities, vendors, & entities)
• If these inventories are not kept current, risks/inventory item relationships cannot be
created in the system
Assessments can be used to automate this task
-
Risks are given an Inherent Risk Level that determines the severity
• low, medium, high, very high
Cross-team understanding and documentation of what constitutes these levels is crucial
-
Assessments can be used to identify risks
Rules within assessments can automate this process for common risks
-
Once risks are identified you can begin planning how to mitigate these risks
OneTrust has a Controls Library which includes
• Custom Controls
• Standards/Frameworks
Controls carry over into other modules
-
Page | 16
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Execution
Risk Scoring Methodology
OneTrust includes a couple risk scoring methodologies. The selected method would need to be decided and
understood across several teams. When using the Risk Scoring Matrix, several items of that matrix can be
configured to meet your organization’s needs.
Click here for detailed steps on how to complete this exercise.
Adding Controls
The OneTrust Tool provides users with a Controls Library with the ability to add controls from multiple
standards/frameworks or from scratch to be associated with inventory items such as Assets, Processing
Activities, Vendors, Entities, and Risks, themselves. The controls in this library also extend into other GRC
modules, such as Audit Management.
Click here for detailed steps on how to complete this exercise.
Create an Asset & Processing Activity
While there are multiple ways to add inventory items, this exercise will use the manual interface. The
OneTrust tool gives our customers the ability not only to add and track inventory items, but to relate them
together to create a web of information. Risks are then able to be applied to all of these individual inventory
items, no matter the type.
Click here for detailed steps on how to complete this exercise.
Prepare for Common Risks
Once inventory items are configured and business processes determined, Assessment Templates should be
reviewed and/or created. Within these templates, identifications of question responses that could mean risk
should be made. For these answers, rules can be put in place to auto-create risks in the system with preassigned controls for swift management.
Click here for detailed steps on how to complete this exercise.
Page | 17
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
IT Risk Management: Assessment & Risk
Management
In this module, we focus on using GRC Assessments to obtain information about our inventory items and
identify risks as well as mitigating these risks by use of the Risk Lifecycle.
Overview
A GRC Assessment can be defined as a survey that gathers evidence to determine risk. In simple form, GRC
assessments verify answers and provide access to key data:
• Is this control implemented?
• Attach pieces of evidence
• Explain
Regulation Example
ISO 27001: the international standard that describes best practices for implementing and maintaining an
ISMS (information security management system). An ISO27001 Risk Assessment is essential to that
process and is a core component of this standard. This type of risk assessment helps organizations:
• Understand specific scenarios that would result in their data being compromised
• Assess the damages these scenarios could cause
• Determine how the likelihood of these scenarios happening
Assessment & Risk Lifecycle
Page | 18
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Best Practices
-
To make the most out of the Assessment Lifecycle, determinations will have to be made:
• Who knows the most about this inventory item?
o Internal or external?
• Who would be the best person to identify risks from these responses?
-
Similar to the Assessment Lifecycle, the Risk Lifecycle should have the best people possible to
mitigate the risk down to a lowered level
• Who is most capable of doing the work for the treatment plan?
• Who knows best to approve of this work?
-
Once risks are at a lowered level, they have the possibility to come back up due to changes in
business processes or inventory items
To ensure risks stay at this lowered level, inventories need to be continuously updated to
ensure no risks are slipping through the cracks
-
Execution
Delivering Assessments
Once the best respondents have been determined, we need to send them the questionnaire template we
created previously. Once a template is sent to a respondent, it’s called an Assessment. In this exercise, we
will launch an assessment to ourselves so that we can then see the Respondent’s side of how to complete
and submit the answers to an approver.
Click here for detailed steps on how to complete this exercise.
Managing Risks
Assessment responses can trigger the system to auto-create risks because of built in rule logic which means
the next step is to remediate the risk.
Click here for detailed steps on how to complete this exercise.
Page | 19
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Configure Automation Rule
Now that we’ve sent an assessment, have gotten it answered, then identified and managed a risk, we want to
make sure we continue to monitor both the risk and inventory items in the future. To do this, we can
automate the sending of assessments by use of various triggers. When that trigger (called a Condition) is
met, the system will send another assessment to the specified respondent and the processes we’ve practiced
in this lesson will continue.
Click here for detailed steps on how to complete this exercise.
Page | 20
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Vendor Risk Management
While business relationships with third-party vendors can often align with your organization's goals, it
unfortunately also has the potential to lead to similar types of threats, vulnerabilities, and risks that we
discussed in prior modules. This module covers an overview, best practices, and practical steps in the
OneTrust tool to help organizations in efforts to manage these factors.
Overview
Best Practices
-
-
Workflows are important to various stages of your relationship with a third party
• Onboarding
• Offboarding
Each workflow can have specific stages, tasks, rules, notifications, and more
Page | 21
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
-
Specifies services provided by a vendor (i.e. consulting, support. Implementation, and more)
Records time and resources allocated to activity or service
Risks can be associated with individual engagements (a more specific level than Vendors)
-
Dashboard tab will provide high level information of what’s in the module
Reports allow for configurable, more detailed columns that can be exported
Execution
Add Vendor via Exchange
You can create a new report to display information and details about your audit. Reports can be created
using one of the Reports Gallery templates that are preconfigured with module-specific fields or created
manually using the Custom Report template. All templates will display by default, but can be narrowed down
based on your selected data source or report type, in this case, our source is Audit Management.
Click here for detailed steps on how to complete this exercise.
Create a Custom Vendor Workflow
You can create a new report to display information and details about your audit. Reports can be created
using one of the Reports Gallery templates that are preconfigured with module-specific fields or created
manually using the Custom Report template. All templates will display by default, but can be narrowed down
based on your selected data source or report type, in this case, our source is Audit Management.
Click here for detailed steps on how to complete this exercise.
Add an Engagement
You can create a new report to display information and details about your audit. Reports can be created
using one of the Reports Gallery templates that are preconfigured with module-specific fields or created
manually using the Custom Report template. All templates will display by default, but can be narrowed down
based on your selected data source or report type, in this case, our source is Audit Management.
Click here for detailed steps on how to complete this exercise.
Page | 22
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Create a Report
You can create a new report to display information and details about your audit. Reports can be created
using one of the Reports Gallery templates that are preconfigured with module-specific fields or created
manually using the Custom Report template. All templates will display by default, but can be narrowed down
based on your selected data source or report type, in this case, our source is Audit Management.
Click here for detailed steps on how to complete this exercise.
Offboarding a Vendor
You can create a new report to display information and details about your audit. Reports can be created
using one of the Reports Gallery templates that are preconfigured with module-specific fields or created
manually using the Custom Report template. All templates will display by default, but can be narrowed down
based on your selected data source or report type, in this case, our source is Audit Management.
Click here for detailed steps on how to complete this exercise.
Page | 23
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Enterprise Policy Management
The Enterprise Policy Management module provides a centralized process for creating and managing
policies, standards, and internal control procedures that are cross-mapped to external regulations and best
practices. The policy inventory is used to capture internal policies for an organization.
Policies can also be linked to controls, related to an inventory, and you can manage all policies
centrally in one location. Policies help with managing the end-to-end policy workflow, from the creation of
new policies to retiring policies that are no longer needed.
Overview
What do policies do?
Clarify expected output & behavior of an organization's members in the context specific to that organization
(groups can include employees, volunteers, and other members (board members, etc.)
Why do we need them?
•
•
•
•
Guide Daily Workplace Activities
Promote Compliance with Laws & Regulations
Provide Strategic viewpoint for decision making
Aid in simplification of processes
Policy Workflow
Page | 24
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Best Practices
Three questions to ask when determining necessary policies:
- Is this a policy that is being created in anticipation of needing it later on?
- Or alternatively, is this policy created in response to a need that has come up?
- Is this policy internal or external to our organization?
Two main use cases:
- Notification reminders of upcoming expiration dates of policies
- Prompts for policies that have been in an under-review stage for an unexpectedly long time
Execution
Add a Policy
Policies can be created in OneTrust through various methods, including loaded in via template, built from
scratch, or by editing a pre-built template within the tool. These policies can then be edited, revised, reported
on, and linked with controls to define processes of different types that your organization practices to keep
GRC protocols top of mind.
Click here for detailed steps on how to complete this exercise.
Adding Controls to a Policy
Once policies are created, they can be linked with controls to ensure proper implementation and continued
efficacy. Those controls can be from a Standard/Framework or ones that were manually configured in the
Controls Library (as was demonstrated the IT Risk Management module).
Click here for detailed steps on how to complete this exercise.
Relate a Vendor
Policies can extend beyond the bounds of the organization and look outward towards relationships with
vendors. Similar to how risks can be linked to inventory items, or even how controls can be linked to Policies,
Policies can be linked to Vendors that have been added to the Vendor Inventory.
Click here for detailed steps on how to complete this exercise.
Page | 25
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Create an Automation Rule
As the workflow in the overview shows, Policies eventually come to an end. This could be due to the end of a
process or because it’s time to review and update the details. No matter the reason, a rule can be created in
the system that will automatically remind specified users when a policy is coming up on its expiration date
and is configured similarly to how we created risks to be auto-created through assessments.
Click here for detailed steps on how to complete this exercise.
Page | 26
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Incidents Management
When incidents occur, it’s best to have the means to respond to and mitigate them. This module includes a
module overview, best practices, and practical steps within the tool to help organizations manage incident
recording, notification, processing, as well as useful associations for mitigation.
Overview
-
-
Organizations must display responsibility for ensuring implementation of adequate security
measures per certain regulations/initiatives
Authorities must be contracted in no later than 72 hours after an organization becomes
aware of a breach
Consequences for contractual failure or missed deadlines can include regulatory
investigation and significant financial penalties
Organizations must adopt security, technical, and administrative measures capable of
protecting personal data from unauthorized access
Controller must contact Supervisory Authority and Data Subject
ANPD must be contacted in 2 business days after organization becomes aware of breach
Method Example: Breach Response Plan
A Breach Response Plan provides guidelines for organizations to follow each time a breach is discovered. It is
the employment of specific recording of the incident, assignments of directly responsible individuals, and
use of process workflows for use in responding to an incident.
Page | 27
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Best Practices
-
-
Webforms that can be created within OneTrust can create incidents directly in the Incidents
Register
If additional information is needed after the webform, Assessments can be used to update the
incident
Centralizes communication
Tracks accountability
Improves upon response times
Execution
Register an Incident
The Incident Register can be utilized as a repository for documenting incident details, stage progression,
assessments, subtasks, and more to foster accountability and decision-making. Users can assign owners,
establish deadlines, and schedule reminders to ensure incident management timelines are met. Incidents
can be reported into this centralized Register manually or by use of a Web Form.
Click here for detailed steps on how to complete this exercise.
Create Incident Workflow
Incident Workflows are a series of configurable steps that help organizations manage incidents with rulebased notifications, tasks, attachments, a centralized communication portal, and more with the ability to
assign specific owners to key items. All these tools allow for teams to properly mitigate incidents, and their
associate risks, in a timely fashion. Organizations can create multiple workflows to meet the variety of
incidents that can occur.
Click here for detailed steps on how to complete this exercise.
Page | 28
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Create a New Attribute & Link it to a New Web Form
The Attribute Manager allows users to create and view attributes (both active and inactive) and create new
custom attributes. Active attributes can be added to assessments to gather more information about the
incidents. Users can also group like attributes to appear during the incident creation on the details screen.
Web Forms can be built within OneTrust and used by external users via a link or a website, if it has been
embedded, to submit incidents directly to the Incident Register.
Click here for detailed steps on how to complete this exercise.
Link Incident to a Risk
Users can easily view and manage all associated risks to an incident by linking the two together in the Risk
Register.
Click here for detailed steps on how to complete this exercise.
Page | 29
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Audit Management
OneTrust’s Audit Management module enables a risk-based approach to an organization’s GRC audit efforts
to recognize the scope of business practices, their impact, and where proposed measures for improvement
can be effectively implemented.
Overview
The Audit Management Module automates the workstreams of audit teams, optimizing resources and
productivity. It is an assessment of methods and policies of an organization's management in the
administration and the use of resources, tactical and strategic planning, and employee and organizational
improvement.
Objective
•
•
Simplify and organize the workflow and collaboration process of compiling audits.
Ensuring that board-approved audit directives are implemented
Best Practices
-
-
Decide what risks are being tracked or which Standard or Framework is to be utilized.
Plan your Work Paper, which is the document that records during the course of an audit the
audit evidence obtained during various types of auditing, including financial statements
auditing, internal management auditing, information systems auditing, and investigations.
Assign an auditor. This role should be independent of an organization’s management so that
the audit is unbiased.
Page | 30
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
These three aspects of the controls should be tested:
- The implementations of the controls you will be auditing against
- The Design and Effectiveness of the controls
- The record of their activity
-
After the auditor has completed their work, findings need to be consolidated. Once all evidence
is gathered, it should be reviewed in detail to identify any audit findings.
This review is done based on the historical understanding of the process, historical evidence
obtained, and auditor professional judgment on the adequacy of the evidence provided.
Based on auditor findings, management will need to recommend compensating or complementary controls
to address the risks identified in the audit. What is the effect of these controls on the risks identified and do
they reduce the residual risk to an acceptable amount? Lastly, what is the frequency of our audits (when will
we re-assess the findings)?
Execution
Add a New Audit
New audits can be created in the Audit Management tool by entering the following:
- Audit name
- Standard/Framework
- Organization
- Auditors and Approvers
- Scope
Once created, details and scope can be added and updated, attachments can be uploaded, tasks can be
completed, workpapers can be created, and findings can be documented.
Click here for detailed steps on how to complete this exercise.
Page | 31
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Add a New Attribute & Complete a Workpaper
Workpapers provide auditors a centralized location to document and manage both work and findings by
providing access to existing evidence, assessments, and control implementations. Pre-made and/or custom
attributes on workpapers create flexibility and alignment with an organization’s needs.
Click here for detailed steps on how to complete this exercise.
Remediate a Finding
A Finding is a compliance issue and/or gap identified that an auditor that’s documented on a workpaper and
has its own management workflow. Actions can be documented for each finding for remediation purposes
on an Action Plan.
Click here for detailed steps on how to complete this exercise.
Create an Audit Report
Audit reports can display details about all audits in the system. Reports can be created using a preconfigured template with Audit Management as the data source or manually via a Custom Report option.
Click here for detailed steps on how to complete this exercise.
Page | 32
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Glossary
A
Assessment – A list of questions assigned to a respondent within the OneTrust tool that requires a response
by the respondent(s) and subsequent approval by an assigned approver(s).
Asset – Anything that can store or process personal data. This can include an application, website, database,
or even physical storage. In GRC, this can also be defined as an item of value to a business.
Audit – An official inspection and independent review of information within an organization conducted with
a view to express an opinion thereon.
B
Breach Response Plan - provides guidelines for organizations to follow each time a breach is discovered. It
is the employment of specific recording of the incident, assignments of directly responsible individuals, and
use of process workflows for use in responding to an incident.
C
Controller – The entity that determines the purposes, conditions, and means of the processing of personal
data.
Controls – They are safeguards or countermeasures to avoid, detect, counteract, or minimize security
risks to physical property, information, computer systems, or other assets.
Controls Library - Includes controls from recognized frameworks and custom controls that your
organization can use to evaluate and describe the security and privacy requirements you have within the
OneTrust application.
Compliance - the act of ensuring your company and employees follow the laws, regulations, standards, and
ethical practices that apply to your organization.
Cloud Security Alliance (CSA) - an industry organization dedicated to helping “ensure a secure cloud
computing environment” – founded in 2009
CSA Cloud Controls Matrix (CCM) - a cybersecurity control framework for cloud computing, composed of
133 control objectives that are structured in 16 domains covering all key aspects of the cloud technology
Page | 33
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
D
Data Element – Pieces of collected information that together, build a complete look at Data.
Data Subject – A natural person whose personal data is processed by a controller or processor.
E
Encrypted Data – Personal data that is protected through technological measures to ensure that the data is
only accessible/readable by those with specified access.
Entity – A registered business involved in and responsible for data processing.
F
Finding – An issue and/or compliance gap identified by an auditor through an audit work paper.
Fed RAMP – The Federal Risk and Authorization Management Program - A government-wide program that
provides a standardized approach to security assessment, authorization, and continuous monitoring for
cloud products and services. The governing bodies of Fed Ramp include: JAB, OMB, CIO Council, FedRAMP
PIO, DHS, and NIST.
G
General Data Protection Regulation (GDPR) – A regulation on data protection and privacy for all residents
of the European Economic Area. Passed in 2016, in effect in 2018.
Governance - the way rules, norms & actions are structured, sustained, regulated, and held accountable.
I
ISO 27001 - International Organization for Standardization (ISO) 27001 - formally known
as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). Issued and
maintained by International Organization for Standardization.
ISO 29001 – International Organization for Standardization (ISO) 29001 - ISO 29001 defines the quality
management system for product and service supply organizations for the petroleum, petrochemical, and
natural gas industries.
Page | 34
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
IT Risk Management - The set of Policies, Procedures, as well as the technology that an organization puts
into place to reduce threats, vulnerabilities, and other results caused by having unprotected data.
N
NIST 800-171 - The National Institute of Standards and Technology - The NIST Special Publication 800171 governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and
Organizations.
P
Policy – Clarifies expected output & behavior of an organization's members in the context specific to that
organization (groups can include employees, volunteers, and other members (board members, etc.)
Processing Activity – An activity where data is touched stored or moved.
R
Risk - is defined as the possibility or chance of loss, adverse effect(s), danger, or injury.
Risk Register – A central list that includes all risks created within a variety of portions of the OneTrust tool.
S
Security Standards/Framework - A series of documented processes that are used to define policies and
procedures around the implementation and ongoing management of information security controls in an
enterprise environment.
T
Template – A list of questions pre-populated in the OneTrust tool that can be created or modified and
assigned to someone as an assessment.
Threat - Anything that can exploit a vulnerability, either intentionally or accidentally and obtain damage or
destroy an asset.
V
Vendor – A third-party service provider.
Page | 35
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Vendorpedia Exchange – a library of vendors within the OneTrust tool that contains detailed security and
privacy profiles of thousands of global vendors. Each profile provides extensive information on the vendor
details, services, and related certificates.
Vulnerability – Defined as weaknesses or gaps in a security program that can be exploited by threats to gain
unauthorized access to an asset.
W
Workpaper – Workpapers provide auditors a central location to manage audit work for compliance control.
Auditors can access existing evidence, assessments, and control implementations to build their view of a
control’s effectiveness.
Page | 36
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Detailed Exercise Steps
Users & Roles
Create a New User
Step 1: Click the “Global Settings” gear cog icon at the top right of the screen
Step 2: Click the “Users” tab on the far left of the screen
Step 3: Click the blue “Add User” button on the top right of the screen
Step 4: Add a first name and last name (use an imaginary character or your own)
Step 5: Add your own Email Address
Step 6: Click the blue “Next” button at the bottom right of the screen
Step 7: Click the blue “Add Role” button in the center of the screen
Step 8: Click on the “Role” field and select “Assessments Manager”
Step 9: For Organization, select OneTrust, then click the white “Save and Add New” button
Step 10: Go back to Role, and select “Auditor” then click white “Save and Add New” button
Step 11: Go back to Role, and select “Enterprise Policy Manager” then click white “Save and Add New” button
Step 12: Go back to Role, and select “Incidents Manager” then click white “Save and Add New” button
Step 13: Go back to Role, and select “IT Risk Manager” then click white “Save and Add New” button
Step 14: Go back to Role, and select “Vendor Manager” and this time click the blue “Add” button at the
bottom right of the screen
Step 15: Click the blue “Create” button at the bottom right of the screen
IT Risk Management: Elements & Inventories
Ex 1 Risk Scoring Methodology
Step 1: Click the “Launch Pad” (grid icon) at the top left of the screen
Step 2: Click on the IT Risk Management Module
Step 3: Click the “Settings” tab on the menu on the left
Step 4: Click the Scoring Methodology dropdown and select either Matrix or Standard
Note: If you choose Standard, the next steps are not necessary
Step 5: If you chose Matrix, click the green plus buttons to add a new column and row – label them both
“Urgent”
Step 6: Make the furthest top right square read 9 instead of 8.
Step 7: Scroll down to the Risk Level Ranges bar and then drag the yellow marker to 4, the pink marker to 6,
and the red marker to 8.
Step 8: Click the blue “Save” button at the bottom right of the screen and click “Save” again on the pop up
window
Ex 2 Adding Controls
Part 1
Step 1: Click the “Launch Pad” at the top left of the screen
Page | 37
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Step 2: Click on the IT Risk Management module
Step 3: Click the “Libraries” tab on the left side of the screen to expand that section
Step 4: Click the “Controls Library” tab
Step 5: Click the blue “Add New” button at the top right of the screen
Step 6: For Control ID, type “A.9 4.3 (2)”
Step 7: For Name, type “Password Management System”
Step 8: For Status, select “Active”
Step 9: For Standard/Framework, select “ISO/IEC 27001:2013 (27002)” from the list
Step 10: Click the blue “Save” button at the bottom right of the menu
Part 2
Step 1: Click the white “Add Standard/Framework” button at the top right of the screen
Step 2: Type “NIST” into the search bar at the top right of the screen and click enter
Step 3: Click on “NIST Cybersecurity Framework (CSF) Core v1.1”
Step 4: Click the blue “Add” button at the bottom right of the menu
Ex 3 Populate Asset & Processing Activity Inventories
Part 1
Step 1: Click the “Assets” tab on the left side of the screen under the “Inventory” section
Step 2: Click the blue “Add New” button at the top right of the screen
Step 3: For Name, type “Payroll Database”
Step 4: For Managing Organization, select “OneTrust”
Step 5: For Hosting Location, select a country of your choice
Step 6: For Type, select “Database” from the list
Step 7: Click the blue “Save” button at the bottom right of the menu
Part 2
Step 1: Click the “Processing Activities” tab on the left side of the screen under the “Inventory” section
Step 2: Click the blue “Add New” button at the top right of the screen
Step 3: For Name, type in “Monthly Compensation Calculation”
Step 4: For Managing Organization, select “OneTrust”
Step 5: Click the blue “Save” button at the bottom right of the menu
Part 3
Step 1: Click the “Related” tab near the top of the newly created Processing Activity from Part 2
Step 2: Scroll down to the “Related Assets” section and click “Add Related Asset”
Step 3: Click the “Choose an asset” box and select the asset you created in Part 1
Step 4: Check the “Related” box under the “How is asset related?” section
Step 5: Click the blue “Add Related” button
Ex 4: Prepare for Common Risks
Part 1
Step 1: Expand the “Setup” section on the left menu
Step 2: Click the “Templates” tab
Step 3: Click the “View” button in the ITRM Templates box
Page | 38
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Step 4: Click the blue “Choose from Gallery” button in the top right
Step 5: Type “Asset Discovery” in the search bar at the top
Step 6: Hover over “Asset Discovery Questionnaire – 2.4” and click the blue “Preview” button
Step 7: Click “Choose This Template” in the bottom right
Step 8: Add your initials to the front of the name (“XXX – Asset Discovery Questionnaire – 2.4”)
Step 9: Click “Create Template” in the bottom right
Part 2
Step 1: Click the arrow to the far right of the first section (Asset Information) to view all the questions within.
Step 2: Drag the “Yes/No” Question Type box from the left and drop it in between questions 1.1 and 1.2
(make sure to drop it in the blue box that appears that reads “Drop Question Here”)
Step 3: In the “Question” field, type “Is access to this asset restricted to only individuals that require access?”
Step 4: Click the blue “Save” button in the bottom right
Part 3
Step 1: Click the “Rules” tab near the top of the screen & click the “Add Rule” button
Step 2: Name the rule “No Access Control”
Step 3: Populate the “Trigger” box with “Question”
Step 4: Populate the newly clickable “Question” box with the Yes/No question you just created
Step 5: Populate the “Operator” box with “Equal To”
Step 6: Populate the “Response” box with “No”
Step 7: In the “Select an Action” box, choose “Create Risk”
Step 8: Click the circle for “Create New Risk”
Step 9: Give the risk an Inherent Risk Level & Description (“Access to asset is not limited to only those that
require access.”)
Step 10: Click the “Add Risk Control” button near the bottom & select “ISO/IEC 27001:2013 (27002)” on the left
Step 11: Check the boxes for “A.9: Access Control” and “A9.1.1: Access Control Policy” then click “Add”
Step 12: Click “Save” in the bottom right
Step 13: Click “Publish” in the top right
Step 14: Click “Confirm” near the middle
IT Risk Management: Assessment & Risk Management
Ex 1 Launching & Completing an Assessment
Part 1
Step 1: Click on the "Active" tab under the "Assessments” section on the left menu
Step 2: Click the blue “Launch Assessment” button at the top right of the screen
Step 3: Select the Template you previously published
Step 4: For Name, enter “Payroll Database Required Review”
Step 5: For Organization, select “OneTrust”
Step 6: For Primary Record Type, select “Assets”
Step 7: For Primary Record, select the asset you created (Payroll Database) from the list
Step 8: Select yourself (Admin###) for both Respondent and Approver
Step 9: Click the blue “Launch” button at the bottom right of the screen
Part 2
Page | 39
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Step 1: Click the “Asset Information” section on the left
Step 2: Answer the question you created with “No”
Step 3: Answer a few more questions (main question requiring an answer is the one you created)
Step 4: Click the blue “Submit” button in the bottom right
Step 5: Click the blue “Confirm” button
Ex 2 Managing Risks
Step 1: Click the “Risk Register” tab on the left menu
Step 2: Click the description of the risk that got created by submitting the assessment
Step 3: Advance your risk to the “Treatment” phase by clicking “Advance”
Step 4: Enter a Risk Owner (Assign to me) and a Treatment Plan of your choice (Ex: Create and assign an
access control policy to this asset)
Step 5: Click the “Save & Advance” button
Step 6: At the top right of the screen, click the white “Request Exception” button.
Step 7: For comments, enter “Access to this database is open for all, but within the asset there are restricted
areas to select employees.”
Step 8: Click the blue “Submit” button
Step 9: Click the blue “Grant Exception” button at the top right of the screen menu.
Step 10: For Result, select “Reduced,” or a result of your choice
Step 11: Change the “Residual Risk Level” to a lower score
Step 12: Click the blue “Confirm” button
Ex 3 Configure Automation Rules
Part 1
Step 1: Click the “Automation Rules” tab inside the "Setup" section on the left menu
Step 2: Click the blue “Add Rule Group” button at the top right of the screen
Step 3: For Rule Group Name, enter “Asset Rule Group”
Step 4: For Organization, select “OneTrust”
Step 5: Click the blue “Add” button at the bottom right of the menu
Part 2
Step 1: Click the blue “Add Rule” button at the center of the screen
Step 2: For the “Select a Rule Type” dropdown, select “Asset”
Step 3: Click the blue “Continue” button
Step 4: For Rule Name, type in “Asset Review Rule”
Step 5: For Frequency Run on the drop-down menu select “Monthly”
Step 6: For the Trigger dropdown, select “Last Assessment Completion Date – By Template.”
Step 7: For Operator dropdown, select “Equal To.”
Step 8: For Number, enter 6 (6 months = “180 days”)
Step 9: Click the “Select a Template” field and click the template name that you chose earlier
Step 10: For the “Actions” dropdown, select “Send Asset Assessment”
Step 11: Click into the “Template Name” field & select the template you created earlier
Step 12: Click the blue “Save” button at the bottom right of the screen.
Page | 40
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Vendor Risk Management
Ex 1 Populate Vendor Inventory
Step 1: Click on the Launchpad at the top left
Step 2: Click on the “Third-Party Risk Exchange” module
Step 3: Click on the “Exchange” tab on the left menu
Step 4: Click on OneTrust’s logo
Step 5: Review the details of the company
Step 6: Click the white “Add” button at the top right of the screen and then click “Confirm”
Step 7: Click the Launchpad at the top left of the screen
Step 8: Select the “Vendor Risk Management” module
Step 9: Click “Vendors” under the “Inventory” header on the left menu
Step 10: Click the name of the Vendor you just added (OneTrust)
Step 11: Review how the data in the inventory matches what was in the Exchange
Ex 2 Onboarding Workflow
Step 1: Select the “Workflows” tab in the “Setup” section on the left menu
Step 2: Select ‘View’ under the Vendor Workflows & Routing Rules tile
Step 3: Select the ‘Default Onboarding’ workflow
Step 4: Clone the workflow by clicking the blue “Clone” button in the top right
Step 5: Name your workflow ‘XX: Default Onboarding’
Step 6: Then click the blue “Clone” button
Step 7: Select the new workflow you created under the list of workflows
Step 8: Select the “Under Evaluation Stage”
Step 9: Click the “Workflow Rules” tab
Step 10: Click the white “Add” button under “Event Triggers”
Step 11: For “Trigger Name”, type in “Skip to In Review”
Step 12: For “Trigger Type” select “Assessment Submitted”
Step 13: Click the blue “Save” Button
Step 14: In the middle, select the blue “Add Rule” button
Step 15: For “Rule Name” type “Assessment Completed Stage Rule”
Step 16: Under Conditions, set the trigger to “Assessment Stage – By Template”
Step 17: Select “Completed” for the “Select Assessment Stage” dropdown
Step 18: For AND, select the template “Vendor Privacy & Security Program Questionnaire (VRM)”
Step 19: Under Actions set the stage as “In Review”
Step 20: Then select the blue “Save” button
Step 21: Select the blue “Publish” button at the top and then again in the middle
Ex 3 Create an Engagement
Step 1: Select “Engagements” on the left side of the screen
Step 2: Click the blue “Add Engagement” button
Step 3: For Engagement Name, type “Governance, Risk & Compliance”
Page | 41
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Step 4: For Engagement Organization, select “OneTrust”
Step 5: For Engagement Type, select “Vendor Engagement”
Step 6: For Engagement Vendor, select “OneTrust”
Step 7: Services add “Governance”, “Risk” & “Compliance”
Step 8: Engagement Internal Owner, select yourself (Admin####)
Step 9: For Engagement External Contact, add an email you have access to
Step 10: For engagement notes, type “Software to support our organization’s GRC efforts”
Step 11: Select the blue “Add” button in the bottom right
Ex 4 Creating a Report
Step 1: Click on the “Launch Pad” at the top left
Step 2: Scroll to the bottom under “General Apps” section and select “Reports”
Step 3: Select the blue “Create New” button at the top right of the screen
Step 4: Under the “Data Source” column on the left, select “Vendor Management”
Step 5: Select the report “Basic Vendor Review”
Step 6: Click the blue “Next” button at the bottom right of screen
Step 7: For “Report Name,” type “XX – Vendor Report” (XX = your initials)
Step 8: Click the blue “Create” button at the bottom right of screen
Step 9: Select the funnel icon at the top right of the grid
Step 10: Click the blue “Add Filter” button
Step 11: For Field, select “Classification”
Step 12: Select “Active” for the value
Step 13: Then select the blue “Save” button
Step 14: Click on the blue “Apply” button
Step 15: Click on the columns icon (just to the left of the funnel)
Step 16: Search for “Risk Level” from “Available Fields” section on the left
Step 17: Select the “>“ button to move it to the “Visible Fields” section on the right
Step 18: Move the position of “Risk Level – Risk” up a few positions by using the “^” button on the right
Step 19: Click the blue “Apply” button on the bottom right of the menu
Step 20: Click the white “Save” icon at the top right of screen
Step 21: Click the blue “Export” button at the top right of the screen
Step 22: Select whether you want the report as an Excel or CSV file
Note: The Notifications button at the top right (Bells button with a number in red) will notify you when you’re
able to download the report)
Ex 5 Offboard a Vendor
Part 1
Step 1: Click the Launch Pad at the top left and go into the “Vendor Risk Management” module
Step 2: Click the “Workflows” tab under the “Setup” section on the left menu
Step 3: Click the blue “View” button in the “Vendor Workflows & Routing Rules” tile
Step 4: Click on the “Default Offboarding” workflow name
Step 5: Click the blue “Clone” button at the top right of the screen
Page | 42
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Step 6: For Workflow Name, type in “High Risk Offboarding”
Step 7: Click the blue “Clone” button at the bottom right of the menu
Part 2
Step 1: Click into “High Risk Offboarding” workflow
Step 2: At the top of the screen, click the “+” button between “In Review” and “Audit”
Step 3: For Stage Title, type “Data Purge Verification”
Step 4: Click the blue “Add” button at the bottom right of the menu
Step 5: Click the “Stage Rules” tab at the top middle of the screen
Step 6: Click the blue “Add Rule” button in the center of the screen
Step 7: For Rule Name, enter “Data Purge”
Step 8: For the Actions dropdown, select “Create Task”
Step 9: For Name, type “Verify all essential data is purged from vendor and backed up onto secure storage”
Step 10: Select an Assignee
Step 11: Click the blue “Save” button at the bottom right of the menu
Step 12: Click the blue “Publish” button at the top right of the screen
Step 13: Click “Publish” in the center of the screen
Enterprise Policy Management
Ex 1 Add a Policy
Step 1: Click on the Launch Pad at the top left of the screen
Step 2: Click on the “Enterprise Policy Management” module
Step 3: Click the “Policies” tab on the left side of the screen
Step 4: Click the blue “Create Policy” button at the top right of the screen
Step 5: Select the “Import from Gallery” option and click the blue “Next” button
Step 6: In the Search Bar, type “Database”
Step 7: Hover over the “SANS Database Credentials Coding Policy” tile and click the “Preview” button
Step 8: Scroll through the contents then click the blue “Choose Policy” button at the bottom right
Step 9: For Policy Name, type “Database Credentials Policy”
Step 10: For Managing Organization, select “OneTrust”
Step 11: Select a Policy Owner and Policy Approver
Step 12: Click the blue “Create” button at the bottom right of the menu
Ex 2 Add Controls to Enforce a Policy
Step 1: Click on the “Policies” tab on the left menu
Step 2: Click on the Policy you created
Step 3: Click on the “Controls” tab at the top middle of the screen
Step 4: Click the blue “Add Control” button in the center of the screen
Step 5: For Standard/Framework, select “ISO/IEC 27001:2013 (27002)” on the left side of the menu
Step 6: In the Search Bar at the top right, type “A9”
Step 7: Check the box for “A9.1.1 Access control policy”
Step 8: Scroll down to and check the box for “A9.2 User access management”
Page | 43
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Step 9: In the Search Bar at the top right, type in A.9,
Step 10: Check the box for “A.9 Access control”
Step 11: Click the blue “Add” button at the bottom right of the menu
Ex 3 Relate Vendors to Policy
Step 1: Click on the “Policies” tab on the left menu
Step 2: Select the policy you created
Step 3: Click on the “Related” tab for that policy
Step 4: Scroll down and click the “Add Related Vendor” button
Step 5: Click on “Choose Vendor” and select a Vendor of your choice
Step 6: Click the blue “Add Related” button
Ex 4 Automate Reminder for Expiring Policies
Step 1: On the left menu, select “Automation Rules” under the “Setup” section
Step 2: Click the blue “Add Rule Group” button in the top right
Step 3: For Rule Group Name, type “Policy Rules”
Step 4: Select “OneTrust” as the Organization
Step 5: Click the blue “Add” button
Step 6: Click the blue “Add Rule” button
Step 7: Select “Policy” on the the rule type drop down
Step 8: Click the blue “Continue” button
Step 9: For Rule name, type “Expiring Policy Rule”
Step 10: Select “Daily” as the Frequency, click the black arrow to the right, then select a time of day of your
choice
Step 11: Under Conditions, set the trigger as “Attribute”
Step 12: Select “Expiration Date” for the “Select Attribute” box
Step 13: Select “Equal To” for the Operator
Step 14: Add “7” for the “Number” box
Step 15: Keep the “Days Before” option
Step 16: Under Actions, select “Send Approval Reminder Email” from the drop down
Step 17: Click the blue “Save” button in the bottom right
Incidents Management
Ex 1 Register an Incident
Step 1: Click the Launch Pad in the top left and select “Incident Response”
Step 2: Click the “Incident Register” tab on the left menu
Step 3: Click the blue “Add New” button at the top right of the screen
Step 4: For “Incident Type”, select “User Account Compromise”
Step 5: For Organization, select “OneTrust”
Step 6: For Name, type “Data via Unauthorized Access”
Page | 44
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Step 7: For Description, type in a description of your choice
Step 8: Choose any date from the past for the Date Occurred field
Step 9: Choose any date between the Date Occurred and the current date/time for Date Discovered
Step 10: Type in a root cause of your choice
Step 11: Click the blue “Save” button at the bottom right
Ex 2 Create a Workflow
Part 1
Step 1: Click the “Workflows & Rules” tab in the “Setup” section on the left menu
Step 2: Click “Default Workflow”
Step 3: Click the white “Clone” button at the top right
Step 4: For workflow name, type in “Data Incident Workflow”
Step 5: Click the blue “Clone” button
Part 2
Step 1: Click into your new workflow
Step 2: At the top middle of the screen, click the “+” button in between “Investigating” and “Remediating”
Step 3: For stage name, type “Risk Analysis”
Step 4: Click the blue “Add” button at the bottom right of the menu
Step 5: Click on the “Rules” tab
Step 6: Click the blue “Add Rule” button in the center of the screen
Step 7: For Rule Name, type in “Notification Rule”
Step 8: For the Actions dropdown, select “Send Notification”
Step 9: For recipients, type in your email and click “Assign to: <your email>” option in the dropdown list
Step 10: For Subject, type “Data Incident Occurrence – Notify CIO”
Step 11: For Body, type “There has been a data incident, please visit the incident register for more details”
Step 12: Click the blue “Save” button at the bottom right of the screen
Step 13: Click the blue “Publish” button at the top right of the screen
Step 14: Click the blue “Publish” button in the center of the screen
Part 3
Step 1: Click the “Workflows & Rules” tab on the left side of the screen
Step 2: Click the “…” button to the far right of your new workflow
Step 3: Select “Set as default”
Step 4: Click the blue “Confirm” button
Ex 3 Create a New Attribute & Link it to a New Web Form
Part 1
Step 1: Click the “Attribute Manager” tab in the “Setup” section on the left menu
Step 2: Click the blue “Add Attribute” button
Step 3: Add a Name for the new attribute (“Incident Location”)
Step 4: Add a Description as a question (“Where did the incident happen?”)
Step 5: For Response Type, choose “Single Select” and add 3 cities on the right for options
Step 6: Click on the blue “Save” button
Page | 45
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Part 2
Step 1: Click the “Web Forms” tab under the “Setup” section on the left menu
Step 2: Click the blue “Add New” button in the top right
Step 3: Add a name (OneTrust Web Form) and click the blue “Create” button
Step 4: For “Form Fields” section, add the following: Date Discovered, Data Occurred, Description, Incident
Type, and the new attribute you created
Step 5: In the “Form Styling” section, personalize your new Web Form header by adding a logo and changing
the color
Step 6: OPTIONAL – Edit the text in the “Form Text” section
Step 7: Click on the white “Save Template” button in the top right
Step 8: Click on the blue “Publish” button in the top right and then the center of the screen
Step 9: Click on the white “Test” white button on the menu that appears
Step 10: Fill the fields and click “Submit”
Step 11: Exit the tab to return back to the original screen
Ex 4 Link Incidents with Risk
Step 1: Click the “Incident Register” tab on the left menu
Step 2: Click into the incident you created in the previous exercise
Step 3: Click on the “Risk Analysis” stage across the top
Step 4: Click on the “More” tab and select “Risks”
Step 5: Click the blue “Add Risk” button in the middle of the screen
Step 6: Check the box on the left for the risk you created earlier
Step 7: Click the blue “Link to Incident” button on the bottom right
Step 8: Click on the blue “Advance” button to the “Complete” stage
Audit Management
Ex 1 Configure new Workflow and add a New Audit
Part 1
Step 1: Click on the Launch Pad and select the “Audit Management” module
Step 2: Click on "Workflows" tab on the left menu
Step 3: Click the “View” button in the “Audit Workflows” tile
Step 4: Click the (…) button for the “Default Audit Workflow” and select “Clone”
Step 5: For “Workflow Name,” type “Internal 2022 Audit Workflow” and click the blue “Clone” button
Step 6: Click into the newly created workflow
Step 7: Between the “Field Work” and “Completed” stages, click the “+” button
Step 8: For “Stage Title,” type "In Progress" and select the “Badge Color” to be blue (In Progress)
Step 9: Click the blue “Add” button
Step 10: Click “Publish” in the top right
Step 11: Click Confirm
Step 12: Click the blue hyperlink “Audit Workflows” in the top right
Step 13: Click the (…) button for the new workflow, select "Set as default,” then click “Confirm”
Page | 46
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Part 2
Step 1: Click on the “Audits” tab on the left menu
Step 2: Click the blue “Create Audit” button at the top right
Step 3: For Audit Name, type “Database Controls Audit 2022”
Step 4: For Standard/Framework, select “ISO/IEC 27001:2013 (27002)”
Step 5: For Organization, select “OneTrust”
Step 6: Select yourself (Admin####) for both Auditor and Recipient
Step 7: Click the blue “Next” button at the bottom right
Step 8: Click the white “Select” button for the “Controls” row
Step 9: Select a framework on the left side of the screen and check the boxes for several controls of your
choice
(Tip: Use A.9 Access Control, A.9 4.3 (2) Password Management System controls from earlier)
Step 10: Click the blue “Submit” button at the bottom right
Step 11: Click the blue “Next” button at the bottom right
Step 12: On the “Assign Auditor(s) and Approver(s)” screen, check the top white box to the left of “Workpaper
Name”
Step 13: Click the white “Bulk Assign” button that appears in the top right
Step 14: Input yourself as both Auditor and Approver
Step 15: Click the blue “Assign” button at the bottom of the menu
Step 16: Click the blue “Complete” button at the bottom right
Step 17: Click the blue “Create” button in the center of the screen
Ex 2 Create a Workpaper with New Attributes
Part 1
Step 1: Click on Attribute Manager on the left menu
Step 2: Click “View” in the “Workpaper Attributes” tile
Step 3: Click the “Groups” tab at the top
Step 4: Scroll to the bottom and click the white “Add Group” button
Step 5: For Group Name, type “Testing Details”
Step 6: Click the blue “Save” button
Step 7: Click the blue “Add Attribute” button in the top right
Step 8: For Name, type “Procedure”
Step 9: For Description, type “What is the procedure used to test the control?”
Step 10: For Response Type, select “Text”
Step 11: Click the white “Save and Add Another” button
Step 12: For Name, type “Testing Deadline”
Step 13: For Description, type “What is the deadline to test the control?”
Step 14: For Response Type, select “Date”
Step 15: Click the blue “Save” button
Step 16: Click the “Manage Attributes” button under the “Workpaper Attributes” Group we created
Step 17: Move the 2 attributes we created from the left column to the right by selecting them and clicking the
“>” button
Page | 47
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Part 2
Step 1: Click the “Audits” tab on the left and select the audit we created
Step 2: Click on the “Workpaper” tab, click into a Workpaper ID, and identify the attributes we created
Step 3: Edit those two fields and click the blue “Save” button
Step 4: Click on the “Tasks” tab across the top
Step 5: Click “Advance” then “Confirm” at the top right to move the workflow to the “In Progress” stage
Step 6: Click the blue “Add Task” button
Step 7: For Task Name, type “Review Controls Implementation”
Step 8: Select yourself as the Assignee
Step 9: Click on the blue “Save” button
Step 10: Click into the Task name, review options, and click “Mark as Completed”
Step 11: Click on the blue “Advance” then “Confirm” buttons to the Complete stage
Step 12: Go back to the Audit and click “Advance” and “Confirm” to the Complete stage
Ex 3 Remediating a Finding
Part 1
Step 1: Click the Audit we just completed
Step 2: Click the “Findings” tab across the top
Step 3: Click the blue “Log Finding” button
Step 4: For “Finding Type,” select “Opportunity for Improvement”
Step 5: For Finding, type “Only 3 unique fields for passwords”
Step 6: Click the blue “Save” button at the bottom right
Part 2
Step 1: Click the Finding ID number you just created
Step 2: Scroll down and click under “Action Plan” to edit
Step 3: In the Action Plan box, type “Use 5-7 unique fields for passwords”
Step 4: Click the blue “Save” button at the bottom right
Step 5: Click the blue “Advance” then “Confirm” buttons
Step 6: Click the “Tasks” tab
Step 7: Click the blue “Add Task” button
Step 8: For “Task Name,” type “IT needs to configure more fields for passwords.”
Step 9: Click Save
Step 10: Click on the blue “Advance” then “Confirm” buttons to complete the audit
Ex 4 Create an Audit Report
Step 1: Click the Launch Pad Icon at the top left
Step 2: Scroll down and select the “Reports” module
Step 3: Click the blue “Create New” button at the top right
Step 4: For “Data Source,” select “Audit Management”
Step 5: Select the “Finding Default Column Report” option
Step 6: Click the blue “Next” button at the bottom right
Step 7: For Report Name, type “Audit Report 2022”
Page | 48
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Step 8: Click the blue “Create” button at the bottom right
Step 9: Make any desired changes to columns then click the white “Save” button at the top right
Step 10: Click the blue “Export” button at the top right & select the “Excel” option
Step 11: Click the “Close” button in the middle of the screen
Step 12: Click the button with the bells at the top right of the screen
Step 13: Click the report name to download the Excel file
Page | 49
Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.