Page | 1 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. The training environment provided to you is only for use during the OneTrust Certification Training Program. You will only have access to login for the duration of training. Training URL: training.onetrust.com Please refer to your instructor for the password to your environment. Disclaimer No part of this document may be reproduced in any form without the written permission of the copyright owner. The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. OneTrust LLC shall have no liability for any error or damage of any kind resulting from the use of this document. OneTrust products, content, and materials are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue. OneTrust materials do not guarantee compliance with applicable laws and regulations. Page | 2 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Contents OneTrust GRC Certification Program Reference Guide ..................................................................................................................................... 6 Introduction ...................................................................................................................................................................................................... 6 Claiming Your OneTrust Badges ........................................................................................................................................................................ 7 Handbook Tips................................................................................................................................................................................................... 8 Using the Table of Contents ................................................................................................................................................................ 8 Using Exercise Hyperlinks ................................................................................................................................................................... 8 Resources & Support ......................................................................................................................................................................................... 9 Sales .................................................................................................................................................................................................... 9 Technical Support ............................................................................................................................................................................... 9 Partner Support .................................................................................................................................................................................. 9 My OneTrust ....................................................................................................................................................................................... 9 Tenant Support Request ................................................................................................................................................................... 10 Terminology & Frameworks Overview ............................................................................................................................................................ 11 What is Governance? ........................................................................................................................................................................ 11 What is Risk? ..................................................................................................................................................................................... 11 What is Compliance? ........................................................................................................................................................................ 11 Security Standards/Framework ........................................................................................................................................................ 12 Controls Library ................................................................................................................................................................................. 12 Control Implementations .................................................................................................................................................................. 12 Commonly Used Frameworks ........................................................................................................................................................... 12 Organizations, Roles, & Users ......................................................................................................................................................................... 13 Adding a User Exercise ...................................................................................................................................................................... 13 IT Risk Management: Elements & Inventories ................................................................................................................................................ 14 Overview ........................................................................................................................................................................................... 14 Elements ............................................................................................................................................................................. 14 Inventories .......................................................................................................................................................................... 15 Best Practices .................................................................................................................................................................................... 16 Execution .......................................................................................................................................................................................... 17 Risk Scoring Methodology .................................................................................................................................................. 17 Adding Controls .................................................................................................................................................................. 17 Create an Asset & Processing Activity ................................................................................................................................ 17 Prepare for Common Risks ................................................................................................................................................. 17 IT Risk Management: Assessment & Risk Management ................................................................................................................................. 18 Overview ........................................................................................................................................................................................... 18 Regulation Example ............................................................................................................................................................ 18 Assessment & Risk Lifecycle ............................................................................................................................................... 18 Best Practices .................................................................................................................................................................................... 19 Execution .......................................................................................................................................................................................... 19 Delivering Assessments ...................................................................................................................................................... 19 Managing Risks ................................................................................................................................................................... 19 Configure Automation Rule ................................................................................................................................................ 20 Vendor Risk Management ............................................................................................................................................................................... 21 Overview ........................................................................................................................................................................................... 21 Best Practices .................................................................................................................................................................................... 21 Execution .......................................................................................................................................................................................... 22 Page | 3 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Add Vendor via Exchange ................................................................................................................................................... 22 Create a Custom Vendor Workflow .................................................................................................................................... 22 Add an Engagement............................................................................................................................................................ 22 Create a Report................................................................................................................................................................... 23 Offboarding a Vendor ......................................................................................................................................................... 23 Enterprise Policy Management ....................................................................................................................................................................... 24 Overview ........................................................................................................................................................................................... 24 What do policies do? .......................................................................................................................................................... 24 Why do we need them? ..................................................................................................................................................... 24 Policy Workflow .................................................................................................................................................................. 24 Best Practices .................................................................................................................................................................................... 25 Execution .......................................................................................................................................................................................... 25 Add a Policy ........................................................................................................................................................................ 25 Adding Controls to a Policy ................................................................................................................................................. 25 Relate a Vendor .................................................................................................................................................................. 25 Create an Automation Rule ................................................................................................................................................ 26 Incidents Management ................................................................................................................................................................................... 27 Overview ........................................................................................................................................................................................... 27 Best Practices .................................................................................................................................................................................... 28 Execution .......................................................................................................................................................................................... 28 Register an Incident ............................................................................................................................................................ 28 Create Incident Workflow .................................................................................................................................................. 28 Create a New Attribute & Link it to a New Web Form ....................................................................................................... 29 Link Incident to a Risk ......................................................................................................................................................... 29 Audit Management ......................................................................................................................................................................................... 30 Overview ........................................................................................................................................................................................... 30 Objective ............................................................................................................................................................................. 30 Best Practices .................................................................................................................................................................................... 30 Execution .......................................................................................................................................................................................... 31 Add a New Audit ................................................................................................................................................................. 31 Add a New Attribute & Complete a Workpaper ................................................................................................................. 32 Remediate a Finding ........................................................................................................................................................... 32 Create an Audit Report ....................................................................................................................................................... 32 Glossary ........................................................................................................................................................................................................... 33 A ........................................................................................................................................................................................................ 33 B ........................................................................................................................................................................................................ 33 C ........................................................................................................................................................................................................ 33 D ........................................................................................................................................................................................................ 34 E ........................................................................................................................................................................................................ 34 F ........................................................................................................................................................................................................ 34 G ........................................................................................................................................................................................................ 34 I ......................................................................................................................................................................................................... 34 N ........................................................................................................................................................................................................ 35 P ........................................................................................................................................................................................................ 35 R ........................................................................................................................................................................................................ 35 S ........................................................................................................................................................................................................ 35 T ........................................................................................................................................................................................................ 35 V ........................................................................................................................................................................................................ 35 Page | 4 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. W ....................................................................................................................................................................................................... 36 Detailed Exercise Steps ................................................................................................................................................................................... 37 Users & Roles .................................................................................................................................................................................... 37 Create a New User .............................................................................................................................................................. 37 IT Risk Management: Elements & Inventories .................................................................................................................................. 37 Ex 1 Risk Scoring Methodology ........................................................................................................................................... 37 Ex 2 Adding Controls ........................................................................................................................................................... 37 Ex 3 Populate Asset & Processing Activity Inventories ....................................................................................................... 38 Ex 4: Prepare for Common Risks ......................................................................................................................................... 38 IT Risk Management: Assessment & Risk Management ................................................................................................................... 39 Ex 1 Launching & Completing an Assessment .................................................................................................................... 39 Ex 2 Managing Risks............................................................................................................................................................ 40 Ex 3 Configure Automation Rules ....................................................................................................................................... 40 Vendor Risk Management ................................................................................................................................................................ 41 Ex 1 Populate Vendor Inventory ......................................................................................................................................... 41 Ex 2 Onboarding Workflow ................................................................................................................................................. 41 Ex 3 Create an Engagement ................................................................................................................................................ 41 Ex 4 Creating a Report ........................................................................................................................................................ 42 Ex 5 Offboard a Vendor ...................................................................................................................................................... 42 Enterprise Policy Management ......................................................................................................................................................... 43 Ex 1 Add a Policy ................................................................................................................................................................. 43 Ex 2 Add Controls to Enforce a Policy ................................................................................................................................. 43 Ex 3 Relate Vendors to Policy ............................................................................................................................................. 44 Ex 4 Automate Reminder for Expiring Policies ................................................................................................................... 44 Incidents Management ..................................................................................................................................................................... 44 Ex 1 Register an Incident .................................................................................................................................................... 44 Ex 2 Create a Workflow ...................................................................................................................................................... 45 Ex 3 Create a New Attribute & Link it to a New Web Form ................................................................................................ 45 Ex 4 Link Incidents with Risk ............................................................................................................................................... 46 Audit Management ........................................................................................................................................................................... 46 Ex 1 Configure new Workflow and add a New Audit .......................................................................................................... 46 Ex 2 Create a Workpaper with New Attributes .................................................................................................................. 47 Ex 3 Remediating a Finding ................................................................................................................................................. 48 Ex 4 Create an Audit Report ............................................................................................................................................... 48 Page | 5 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. OneTrust GRC Certification Program Reference Guide Prepared For: OneTrust GRC Professional Certification Attendees Version 7.0 Introduction Welcome to the OneTrust GRC Certification Program Reference Guide, your comprehensive guide to becoming a certified OneTrust GRC professional. While OneTrust is the leading global software to operationalize data privacy compliance and Privacy by Design, OneTrust also offers a Governance, Risk, and Compliance Solution (GRC). OneTrust GRC Integrated Risk Management is a suite of integrated risk management products to identify, measure, mitigate, monitor, and report on risk across operations. Page | 6 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Claiming Your OneTrust Badges Page | 7 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Handbook Tips Using the Table of Contents Clicking a row will bring you directly to that location! Using Exercise Hyperlinks Each exercise will have an overview of the functionality’s importance. Clicking the blue “here” will bring you to detailed steps of how to complete the exercise. The blue header of that exercise can then be clicked to return to the overview section you were previously at. Page | 8 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Resources & Support Sales • • Email: sales@onetrust.com Phone Numbers o London: +44 (800) 011-9778 o Atlanta: +1 (844) 228-4440 o Munich: +49 (175) 371-2983 Technical Support • • Email: support@onetrust.com Phone Number: +1 (844) 900-0472 Partner Support • Email: partnersupport@onetrust.com This partner support can assist with: 1. Scheduling Client Demonstrations 2. Submitting an RFI/RFP with OneTrust 3. Client Referrals 4. Account Strategy & Alignment 5. Additional Resources and Collateral Other resources include: 1. Product Demonstration Videos 2. OneTrust Overview Brochure 3. How OneTrust Helps with GDPR Whitepaper 4. SmartPrivacy Workshops Registration 5. OneTrust Pricing Model My OneTrust • Website: my.OneTrust.com My OneTrust is a platform that can be accessed by all OneTrust customers for additional resources which include, but it not limited to: 1. OneTrust Knowledgebase 2. Release Notes 3. Scheduled Maintenance 4. Live System Status 5. Submit a Ticket 6. Developer Portal 7. Get OneTrust Certified Page | 9 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Tenant Support Request You can submit a support desk ticket directly to the OneTrust Support Team through your tenant by following these steps: 1. Log into OneTrust 2. Click the Launch Pad in the top left corner then select “Get Help” in the bottom right 3. Fill out your inquiry in the message portal that pops up and click “Send” Page | 10 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Terminology & Frameworks Overview What is Governance? Governance is defined as the way rules, norms, and actions are structured, sustained, regulated, and held accountable. What is Risk? Risk is defined as the possibility or chance of loss, adverse effect(s), danger, or injury. What is Compliance? Compliance is the act of ensuring your company and employees follow the laws, regulations, standards, and ethical practices that apply to your organization. Page | 11 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Security Standards/Framework • A series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment. Controls Library • Includes controls from recognized frameworks and custom controls which your organization can use to evaluate and describe the security and privacy requirements you have for vendors within the OneTrust application. Control Implementations • • Safeguards or countermeasure to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. An organization can use controls to evaluate and describe the security and privacy requirements necessary for vendors. Commonly Used Frameworks Page | 12 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Organizations, Roles, & Users Organizations, Roles, and Users are the settings that will impact the user experience in the system. When creating a new User, in which an individual will require to log into the platform, that user must be associated with at least one of each of the following: • Organization – controls what data the user will have access to o Organizations are configured in a hierarchical tree • Role – controls what modules and processes the user will have access to o Roles are individually configured with many base roles pre-configured in the system. Each role is given specific permissions which can be filtered by module. Adding a User Exercise Adding users appropriately is important. Their access should be balanced - restricted enough so they can’t see or interact with data in ways outside of their responsibility, while not too restricted to where they are unable to perform their job. This balance is able to met by proper user association of Roles and Organizations. Click here for detailed steps on how to complete this exercise. Page | 13 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. IT Risk Management: Elements & Inventories IT Risk Management is defined as the set of Policies, Procedures, as well as the technology that an organization puts into place to reduce threats, vulnerabilities, and other results caused by having unprotected data. OneTrust can assist our customers’ IT Risk Management efforts by supplying efficient tools to define and track risks to apply mitigating measures towards those risks. This chapter focuses on anticipating common risks that your organization may face and preparing the tool to be ready to manage these risks by thoroughly configuring your Controls Library, Elements, and Inventories. Overview Elements Elements of Risk Management MITIGATION Risk, Threat, Vulnerability and Control RISK ASSET RISK THREAT RISK • • • • • VULNERABILITY CONTROL VULNERABILITY CONTROL VULNERABILITY CONTROL ASSET IMPACT RISK INITIATOR OPPORTUNITY Item of value to the business Risk: The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability Threat: Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset Vulnerability: Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset COMPENSATING MEASURES Control: An attribute or element (real or conceptual) that acts as a mitigating factor to reduce risk An ASSET is an item of value to your business. A RISK is a potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability. A THREAT is anything that can exploit a vulnerability, either intentionally or accidentally, and obtain damage or destroy an asset. VULNERABILITIES can be defined as weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. A CONTROL can be defined as an attribute or element (either real or conceptual) that acts as a mitigating factor to reduce risk. Page | 14 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Elements Example Inventories Page | 15 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Best Practices - - - Risks are associated with inventory items (assets, processing activities, vendors, & entities) • If these inventories are not kept current, risks/inventory item relationships cannot be created in the system Assessments can be used to automate this task - Risks are given an Inherent Risk Level that determines the severity • low, medium, high, very high Cross-team understanding and documentation of what constitutes these levels is crucial - Assessments can be used to identify risks Rules within assessments can automate this process for common risks - Once risks are identified you can begin planning how to mitigate these risks OneTrust has a Controls Library which includes • Custom Controls • Standards/Frameworks Controls carry over into other modules - Page | 16 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Execution Risk Scoring Methodology OneTrust includes a couple risk scoring methodologies. The selected method would need to be decided and understood across several teams. When using the Risk Scoring Matrix, several items of that matrix can be configured to meet your organization’s needs. Click here for detailed steps on how to complete this exercise. Adding Controls The OneTrust Tool provides users with a Controls Library with the ability to add controls from multiple standards/frameworks or from scratch to be associated with inventory items such as Assets, Processing Activities, Vendors, Entities, and Risks, themselves. The controls in this library also extend into other GRC modules, such as Audit Management. Click here for detailed steps on how to complete this exercise. Create an Asset & Processing Activity While there are multiple ways to add inventory items, this exercise will use the manual interface. The OneTrust tool gives our customers the ability not only to add and track inventory items, but to relate them together to create a web of information. Risks are then able to be applied to all of these individual inventory items, no matter the type. Click here for detailed steps on how to complete this exercise. Prepare for Common Risks Once inventory items are configured and business processes determined, Assessment Templates should be reviewed and/or created. Within these templates, identifications of question responses that could mean risk should be made. For these answers, rules can be put in place to auto-create risks in the system with preassigned controls for swift management. Click here for detailed steps on how to complete this exercise. Page | 17 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. IT Risk Management: Assessment & Risk Management In this module, we focus on using GRC Assessments to obtain information about our inventory items and identify risks as well as mitigating these risks by use of the Risk Lifecycle. Overview A GRC Assessment can be defined as a survey that gathers evidence to determine risk. In simple form, GRC assessments verify answers and provide access to key data: • Is this control implemented? • Attach pieces of evidence • Explain Regulation Example ISO 27001: the international standard that describes best practices for implementing and maintaining an ISMS (information security management system). An ISO27001 Risk Assessment is essential to that process and is a core component of this standard. This type of risk assessment helps organizations: • Understand specific scenarios that would result in their data being compromised • Assess the damages these scenarios could cause • Determine how the likelihood of these scenarios happening Assessment & Risk Lifecycle Page | 18 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Best Practices - To make the most out of the Assessment Lifecycle, determinations will have to be made: • Who knows the most about this inventory item? o Internal or external? • Who would be the best person to identify risks from these responses? - Similar to the Assessment Lifecycle, the Risk Lifecycle should have the best people possible to mitigate the risk down to a lowered level • Who is most capable of doing the work for the treatment plan? • Who knows best to approve of this work? - Once risks are at a lowered level, they have the possibility to come back up due to changes in business processes or inventory items To ensure risks stay at this lowered level, inventories need to be continuously updated to ensure no risks are slipping through the cracks - Execution Delivering Assessments Once the best respondents have been determined, we need to send them the questionnaire template we created previously. Once a template is sent to a respondent, it’s called an Assessment. In this exercise, we will launch an assessment to ourselves so that we can then see the Respondent’s side of how to complete and submit the answers to an approver. Click here for detailed steps on how to complete this exercise. Managing Risks Assessment responses can trigger the system to auto-create risks because of built in rule logic which means the next step is to remediate the risk. Click here for detailed steps on how to complete this exercise. Page | 19 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Configure Automation Rule Now that we’ve sent an assessment, have gotten it answered, then identified and managed a risk, we want to make sure we continue to monitor both the risk and inventory items in the future. To do this, we can automate the sending of assessments by use of various triggers. When that trigger (called a Condition) is met, the system will send another assessment to the specified respondent and the processes we’ve practiced in this lesson will continue. Click here for detailed steps on how to complete this exercise. Page | 20 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Vendor Risk Management While business relationships with third-party vendors can often align with your organization's goals, it unfortunately also has the potential to lead to similar types of threats, vulnerabilities, and risks that we discussed in prior modules. This module covers an overview, best practices, and practical steps in the OneTrust tool to help organizations in efforts to manage these factors. Overview Best Practices - - Workflows are important to various stages of your relationship with a third party • Onboarding • Offboarding Each workflow can have specific stages, tasks, rules, notifications, and more Page | 21 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. - Specifies services provided by a vendor (i.e. consulting, support. Implementation, and more) Records time and resources allocated to activity or service Risks can be associated with individual engagements (a more specific level than Vendors) - Dashboard tab will provide high level information of what’s in the module Reports allow for configurable, more detailed columns that can be exported Execution Add Vendor via Exchange You can create a new report to display information and details about your audit. Reports can be created using one of the Reports Gallery templates that are preconfigured with module-specific fields or created manually using the Custom Report template. All templates will display by default, but can be narrowed down based on your selected data source or report type, in this case, our source is Audit Management. Click here for detailed steps on how to complete this exercise. Create a Custom Vendor Workflow You can create a new report to display information and details about your audit. Reports can be created using one of the Reports Gallery templates that are preconfigured with module-specific fields or created manually using the Custom Report template. All templates will display by default, but can be narrowed down based on your selected data source or report type, in this case, our source is Audit Management. Click here for detailed steps on how to complete this exercise. Add an Engagement You can create a new report to display information and details about your audit. Reports can be created using one of the Reports Gallery templates that are preconfigured with module-specific fields or created manually using the Custom Report template. All templates will display by default, but can be narrowed down based on your selected data source or report type, in this case, our source is Audit Management. Click here for detailed steps on how to complete this exercise. Page | 22 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Create a Report You can create a new report to display information and details about your audit. Reports can be created using one of the Reports Gallery templates that are preconfigured with module-specific fields or created manually using the Custom Report template. All templates will display by default, but can be narrowed down based on your selected data source or report type, in this case, our source is Audit Management. Click here for detailed steps on how to complete this exercise. Offboarding a Vendor You can create a new report to display information and details about your audit. Reports can be created using one of the Reports Gallery templates that are preconfigured with module-specific fields or created manually using the Custom Report template. All templates will display by default, but can be narrowed down based on your selected data source or report type, in this case, our source is Audit Management. Click here for detailed steps on how to complete this exercise. Page | 23 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Enterprise Policy Management The Enterprise Policy Management module provides a centralized process for creating and managing policies, standards, and internal control procedures that are cross-mapped to external regulations and best practices. The policy inventory is used to capture internal policies for an organization. Policies can also be linked to controls, related to an inventory, and you can manage all policies centrally in one location. Policies help with managing the end-to-end policy workflow, from the creation of new policies to retiring policies that are no longer needed. Overview What do policies do? Clarify expected output & behavior of an organization's members in the context specific to that organization (groups can include employees, volunteers, and other members (board members, etc.) Why do we need them? • • • • Guide Daily Workplace Activities Promote Compliance with Laws & Regulations Provide Strategic viewpoint for decision making Aid in simplification of processes Policy Workflow Page | 24 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Best Practices Three questions to ask when determining necessary policies: - Is this a policy that is being created in anticipation of needing it later on? - Or alternatively, is this policy created in response to a need that has come up? - Is this policy internal or external to our organization? Two main use cases: - Notification reminders of upcoming expiration dates of policies - Prompts for policies that have been in an under-review stage for an unexpectedly long time Execution Add a Policy Policies can be created in OneTrust through various methods, including loaded in via template, built from scratch, or by editing a pre-built template within the tool. These policies can then be edited, revised, reported on, and linked with controls to define processes of different types that your organization practices to keep GRC protocols top of mind. Click here for detailed steps on how to complete this exercise. Adding Controls to a Policy Once policies are created, they can be linked with controls to ensure proper implementation and continued efficacy. Those controls can be from a Standard/Framework or ones that were manually configured in the Controls Library (as was demonstrated the IT Risk Management module). Click here for detailed steps on how to complete this exercise. Relate a Vendor Policies can extend beyond the bounds of the organization and look outward towards relationships with vendors. Similar to how risks can be linked to inventory items, or even how controls can be linked to Policies, Policies can be linked to Vendors that have been added to the Vendor Inventory. Click here for detailed steps on how to complete this exercise. Page | 25 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Create an Automation Rule As the workflow in the overview shows, Policies eventually come to an end. This could be due to the end of a process or because it’s time to review and update the details. No matter the reason, a rule can be created in the system that will automatically remind specified users when a policy is coming up on its expiration date and is configured similarly to how we created risks to be auto-created through assessments. Click here for detailed steps on how to complete this exercise. Page | 26 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Incidents Management When incidents occur, it’s best to have the means to respond to and mitigate them. This module includes a module overview, best practices, and practical steps within the tool to help organizations manage incident recording, notification, processing, as well as useful associations for mitigation. Overview - - Organizations must display responsibility for ensuring implementation of adequate security measures per certain regulations/initiatives Authorities must be contracted in no later than 72 hours after an organization becomes aware of a breach Consequences for contractual failure or missed deadlines can include regulatory investigation and significant financial penalties Organizations must adopt security, technical, and administrative measures capable of protecting personal data from unauthorized access Controller must contact Supervisory Authority and Data Subject ANPD must be contacted in 2 business days after organization becomes aware of breach Method Example: Breach Response Plan A Breach Response Plan provides guidelines for organizations to follow each time a breach is discovered. It is the employment of specific recording of the incident, assignments of directly responsible individuals, and use of process workflows for use in responding to an incident. Page | 27 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Best Practices - - Webforms that can be created within OneTrust can create incidents directly in the Incidents Register If additional information is needed after the webform, Assessments can be used to update the incident Centralizes communication Tracks accountability Improves upon response times Execution Register an Incident The Incident Register can be utilized as a repository for documenting incident details, stage progression, assessments, subtasks, and more to foster accountability and decision-making. Users can assign owners, establish deadlines, and schedule reminders to ensure incident management timelines are met. Incidents can be reported into this centralized Register manually or by use of a Web Form. Click here for detailed steps on how to complete this exercise. Create Incident Workflow Incident Workflows are a series of configurable steps that help organizations manage incidents with rulebased notifications, tasks, attachments, a centralized communication portal, and more with the ability to assign specific owners to key items. All these tools allow for teams to properly mitigate incidents, and their associate risks, in a timely fashion. Organizations can create multiple workflows to meet the variety of incidents that can occur. Click here for detailed steps on how to complete this exercise. Page | 28 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Create a New Attribute & Link it to a New Web Form The Attribute Manager allows users to create and view attributes (both active and inactive) and create new custom attributes. Active attributes can be added to assessments to gather more information about the incidents. Users can also group like attributes to appear during the incident creation on the details screen. Web Forms can be built within OneTrust and used by external users via a link or a website, if it has been embedded, to submit incidents directly to the Incident Register. Click here for detailed steps on how to complete this exercise. Link Incident to a Risk Users can easily view and manage all associated risks to an incident by linking the two together in the Risk Register. Click here for detailed steps on how to complete this exercise. Page | 29 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Audit Management OneTrust’s Audit Management module enables a risk-based approach to an organization’s GRC audit efforts to recognize the scope of business practices, their impact, and where proposed measures for improvement can be effectively implemented. Overview The Audit Management Module automates the workstreams of audit teams, optimizing resources and productivity. It is an assessment of methods and policies of an organization's management in the administration and the use of resources, tactical and strategic planning, and employee and organizational improvement. Objective • • Simplify and organize the workflow and collaboration process of compiling audits. Ensuring that board-approved audit directives are implemented Best Practices - - Decide what risks are being tracked or which Standard or Framework is to be utilized. Plan your Work Paper, which is the document that records during the course of an audit the audit evidence obtained during various types of auditing, including financial statements auditing, internal management auditing, information systems auditing, and investigations. Assign an auditor. This role should be independent of an organization’s management so that the audit is unbiased. Page | 30 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. These three aspects of the controls should be tested: - The implementations of the controls you will be auditing against - The Design and Effectiveness of the controls - The record of their activity - After the auditor has completed their work, findings need to be consolidated. Once all evidence is gathered, it should be reviewed in detail to identify any audit findings. This review is done based on the historical understanding of the process, historical evidence obtained, and auditor professional judgment on the adequacy of the evidence provided. Based on auditor findings, management will need to recommend compensating or complementary controls to address the risks identified in the audit. What is the effect of these controls on the risks identified and do they reduce the residual risk to an acceptable amount? Lastly, what is the frequency of our audits (when will we re-assess the findings)? Execution Add a New Audit New audits can be created in the Audit Management tool by entering the following: - Audit name - Standard/Framework - Organization - Auditors and Approvers - Scope Once created, details and scope can be added and updated, attachments can be uploaded, tasks can be completed, workpapers can be created, and findings can be documented. Click here for detailed steps on how to complete this exercise. Page | 31 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Add a New Attribute & Complete a Workpaper Workpapers provide auditors a centralized location to document and manage both work and findings by providing access to existing evidence, assessments, and control implementations. Pre-made and/or custom attributes on workpapers create flexibility and alignment with an organization’s needs. Click here for detailed steps on how to complete this exercise. Remediate a Finding A Finding is a compliance issue and/or gap identified that an auditor that’s documented on a workpaper and has its own management workflow. Actions can be documented for each finding for remediation purposes on an Action Plan. Click here for detailed steps on how to complete this exercise. Create an Audit Report Audit reports can display details about all audits in the system. Reports can be created using a preconfigured template with Audit Management as the data source or manually via a Custom Report option. Click here for detailed steps on how to complete this exercise. Page | 32 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Glossary A Assessment – A list of questions assigned to a respondent within the OneTrust tool that requires a response by the respondent(s) and subsequent approval by an assigned approver(s). Asset – Anything that can store or process personal data. This can include an application, website, database, or even physical storage. In GRC, this can also be defined as an item of value to a business. Audit – An official inspection and independent review of information within an organization conducted with a view to express an opinion thereon. B Breach Response Plan - provides guidelines for organizations to follow each time a breach is discovered. It is the employment of specific recording of the incident, assignments of directly responsible individuals, and use of process workflows for use in responding to an incident. C Controller – The entity that determines the purposes, conditions, and means of the processing of personal data. Controls – They are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Controls Library - Includes controls from recognized frameworks and custom controls that your organization can use to evaluate and describe the security and privacy requirements you have within the OneTrust application. Compliance - the act of ensuring your company and employees follow the laws, regulations, standards, and ethical practices that apply to your organization. Cloud Security Alliance (CSA) - an industry organization dedicated to helping “ensure a secure cloud computing environment” – founded in 2009 CSA Cloud Controls Matrix (CCM) - a cybersecurity control framework for cloud computing, composed of 133 control objectives that are structured in 16 domains covering all key aspects of the cloud technology Page | 33 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. D Data Element – Pieces of collected information that together, build a complete look at Data. Data Subject – A natural person whose personal data is processed by a controller or processor. E Encrypted Data – Personal data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access. Entity – A registered business involved in and responsible for data processing. F Finding – An issue and/or compliance gap identified by an auditor through an audit work paper. Fed RAMP – The Federal Risk and Authorization Management Program - A government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The governing bodies of Fed Ramp include: JAB, OMB, CIO Council, FedRAMP PIO, DHS, and NIST. G General Data Protection Regulation (GDPR) – A regulation on data protection and privacy for all residents of the European Economic Area. Passed in 2016, in effect in 2018. Governance - the way rules, norms & actions are structured, sustained, regulated, and held accountable. I ISO 27001 - International Organization for Standardization (ISO) 27001 - formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). Issued and maintained by International Organization for Standardization. ISO 29001 – International Organization for Standardization (ISO) 29001 - ISO 29001 defines the quality management system for product and service supply organizations for the petroleum, petrochemical, and natural gas industries. Page | 34 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. IT Risk Management - The set of Policies, Procedures, as well as the technology that an organization puts into place to reduce threats, vulnerabilities, and other results caused by having unprotected data. N NIST 800-171 - The National Institute of Standards and Technology - The NIST Special Publication 800171 governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. P Policy – Clarifies expected output & behavior of an organization's members in the context specific to that organization (groups can include employees, volunteers, and other members (board members, etc.) Processing Activity – An activity where data is touched stored or moved. R Risk - is defined as the possibility or chance of loss, adverse effect(s), danger, or injury. Risk Register – A central list that includes all risks created within a variety of portions of the OneTrust tool. S Security Standards/Framework - A series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment. T Template – A list of questions pre-populated in the OneTrust tool that can be created or modified and assigned to someone as an assessment. Threat - Anything that can exploit a vulnerability, either intentionally or accidentally and obtain damage or destroy an asset. V Vendor – A third-party service provider. Page | 35 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Vendorpedia Exchange – a library of vendors within the OneTrust tool that contains detailed security and privacy profiles of thousands of global vendors. Each profile provides extensive information on the vendor details, services, and related certificates. Vulnerability – Defined as weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. W Workpaper – Workpapers provide auditors a central location to manage audit work for compliance control. Auditors can access existing evidence, assessments, and control implementations to build their view of a control’s effectiveness. Page | 36 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Detailed Exercise Steps Users & Roles Create a New User Step 1: Click the “Global Settings” gear cog icon at the top right of the screen Step 2: Click the “Users” tab on the far left of the screen Step 3: Click the blue “Add User” button on the top right of the screen Step 4: Add a first name and last name (use an imaginary character or your own) Step 5: Add your own Email Address Step 6: Click the blue “Next” button at the bottom right of the screen Step 7: Click the blue “Add Role” button in the center of the screen Step 8: Click on the “Role” field and select “Assessments Manager” Step 9: For Organization, select OneTrust, then click the white “Save and Add New” button Step 10: Go back to Role, and select “Auditor” then click white “Save and Add New” button Step 11: Go back to Role, and select “Enterprise Policy Manager” then click white “Save and Add New” button Step 12: Go back to Role, and select “Incidents Manager” then click white “Save and Add New” button Step 13: Go back to Role, and select “IT Risk Manager” then click white “Save and Add New” button Step 14: Go back to Role, and select “Vendor Manager” and this time click the blue “Add” button at the bottom right of the screen Step 15: Click the blue “Create” button at the bottom right of the screen IT Risk Management: Elements & Inventories Ex 1 Risk Scoring Methodology Step 1: Click the “Launch Pad” (grid icon) at the top left of the screen Step 2: Click on the IT Risk Management Module Step 3: Click the “Settings” tab on the menu on the left Step 4: Click the Scoring Methodology dropdown and select either Matrix or Standard Note: If you choose Standard, the next steps are not necessary Step 5: If you chose Matrix, click the green plus buttons to add a new column and row – label them both “Urgent” Step 6: Make the furthest top right square read 9 instead of 8. Step 7: Scroll down to the Risk Level Ranges bar and then drag the yellow marker to 4, the pink marker to 6, and the red marker to 8. Step 8: Click the blue “Save” button at the bottom right of the screen and click “Save” again on the pop up window Ex 2 Adding Controls Part 1 Step 1: Click the “Launch Pad” at the top left of the screen Page | 37 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Step 2: Click on the IT Risk Management module Step 3: Click the “Libraries” tab on the left side of the screen to expand that section Step 4: Click the “Controls Library” tab Step 5: Click the blue “Add New” button at the top right of the screen Step 6: For Control ID, type “A.9 4.3 (2)” Step 7: For Name, type “Password Management System” Step 8: For Status, select “Active” Step 9: For Standard/Framework, select “ISO/IEC 27001:2013 (27002)” from the list Step 10: Click the blue “Save” button at the bottom right of the menu Part 2 Step 1: Click the white “Add Standard/Framework” button at the top right of the screen Step 2: Type “NIST” into the search bar at the top right of the screen and click enter Step 3: Click on “NIST Cybersecurity Framework (CSF) Core v1.1” Step 4: Click the blue “Add” button at the bottom right of the menu Ex 3 Populate Asset & Processing Activity Inventories Part 1 Step 1: Click the “Assets” tab on the left side of the screen under the “Inventory” section Step 2: Click the blue “Add New” button at the top right of the screen Step 3: For Name, type “Payroll Database” Step 4: For Managing Organization, select “OneTrust” Step 5: For Hosting Location, select a country of your choice Step 6: For Type, select “Database” from the list Step 7: Click the blue “Save” button at the bottom right of the menu Part 2 Step 1: Click the “Processing Activities” tab on the left side of the screen under the “Inventory” section Step 2: Click the blue “Add New” button at the top right of the screen Step 3: For Name, type in “Monthly Compensation Calculation” Step 4: For Managing Organization, select “OneTrust” Step 5: Click the blue “Save” button at the bottom right of the menu Part 3 Step 1: Click the “Related” tab near the top of the newly created Processing Activity from Part 2 Step 2: Scroll down to the “Related Assets” section and click “Add Related Asset” Step 3: Click the “Choose an asset” box and select the asset you created in Part 1 Step 4: Check the “Related” box under the “How is asset related?” section Step 5: Click the blue “Add Related” button Ex 4: Prepare for Common Risks Part 1 Step 1: Expand the “Setup” section on the left menu Step 2: Click the “Templates” tab Step 3: Click the “View” button in the ITRM Templates box Page | 38 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Step 4: Click the blue “Choose from Gallery” button in the top right Step 5: Type “Asset Discovery” in the search bar at the top Step 6: Hover over “Asset Discovery Questionnaire – 2.4” and click the blue “Preview” button Step 7: Click “Choose This Template” in the bottom right Step 8: Add your initials to the front of the name (“XXX – Asset Discovery Questionnaire – 2.4”) Step 9: Click “Create Template” in the bottom right Part 2 Step 1: Click the arrow to the far right of the first section (Asset Information) to view all the questions within. Step 2: Drag the “Yes/No” Question Type box from the left and drop it in between questions 1.1 and 1.2 (make sure to drop it in the blue box that appears that reads “Drop Question Here”) Step 3: In the “Question” field, type “Is access to this asset restricted to only individuals that require access?” Step 4: Click the blue “Save” button in the bottom right Part 3 Step 1: Click the “Rules” tab near the top of the screen & click the “Add Rule” button Step 2: Name the rule “No Access Control” Step 3: Populate the “Trigger” box with “Question” Step 4: Populate the newly clickable “Question” box with the Yes/No question you just created Step 5: Populate the “Operator” box with “Equal To” Step 6: Populate the “Response” box with “No” Step 7: In the “Select an Action” box, choose “Create Risk” Step 8: Click the circle for “Create New Risk” Step 9: Give the risk an Inherent Risk Level & Description (“Access to asset is not limited to only those that require access.”) Step 10: Click the “Add Risk Control” button near the bottom & select “ISO/IEC 27001:2013 (27002)” on the left Step 11: Check the boxes for “A.9: Access Control” and “A9.1.1: Access Control Policy” then click “Add” Step 12: Click “Save” in the bottom right Step 13: Click “Publish” in the top right Step 14: Click “Confirm” near the middle IT Risk Management: Assessment & Risk Management Ex 1 Launching & Completing an Assessment Part 1 Step 1: Click on the "Active" tab under the "Assessments” section on the left menu Step 2: Click the blue “Launch Assessment” button at the top right of the screen Step 3: Select the Template you previously published Step 4: For Name, enter “Payroll Database Required Review” Step 5: For Organization, select “OneTrust” Step 6: For Primary Record Type, select “Assets” Step 7: For Primary Record, select the asset you created (Payroll Database) from the list Step 8: Select yourself (Admin###) for both Respondent and Approver Step 9: Click the blue “Launch” button at the bottom right of the screen Part 2 Page | 39 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Step 1: Click the “Asset Information” section on the left Step 2: Answer the question you created with “No” Step 3: Answer a few more questions (main question requiring an answer is the one you created) Step 4: Click the blue “Submit” button in the bottom right Step 5: Click the blue “Confirm” button Ex 2 Managing Risks Step 1: Click the “Risk Register” tab on the left menu Step 2: Click the description of the risk that got created by submitting the assessment Step 3: Advance your risk to the “Treatment” phase by clicking “Advance” Step 4: Enter a Risk Owner (Assign to me) and a Treatment Plan of your choice (Ex: Create and assign an access control policy to this asset) Step 5: Click the “Save & Advance” button Step 6: At the top right of the screen, click the white “Request Exception” button. Step 7: For comments, enter “Access to this database is open for all, but within the asset there are restricted areas to select employees.” Step 8: Click the blue “Submit” button Step 9: Click the blue “Grant Exception” button at the top right of the screen menu. Step 10: For Result, select “Reduced,” or a result of your choice Step 11: Change the “Residual Risk Level” to a lower score Step 12: Click the blue “Confirm” button Ex 3 Configure Automation Rules Part 1 Step 1: Click the “Automation Rules” tab inside the "Setup" section on the left menu Step 2: Click the blue “Add Rule Group” button at the top right of the screen Step 3: For Rule Group Name, enter “Asset Rule Group” Step 4: For Organization, select “OneTrust” Step 5: Click the blue “Add” button at the bottom right of the menu Part 2 Step 1: Click the blue “Add Rule” button at the center of the screen Step 2: For the “Select a Rule Type” dropdown, select “Asset” Step 3: Click the blue “Continue” button Step 4: For Rule Name, type in “Asset Review Rule” Step 5: For Frequency Run on the drop-down menu select “Monthly” Step 6: For the Trigger dropdown, select “Last Assessment Completion Date – By Template.” Step 7: For Operator dropdown, select “Equal To.” Step 8: For Number, enter 6 (6 months = “180 days”) Step 9: Click the “Select a Template” field and click the template name that you chose earlier Step 10: For the “Actions” dropdown, select “Send Asset Assessment” Step 11: Click into the “Template Name” field & select the template you created earlier Step 12: Click the blue “Save” button at the bottom right of the screen. Page | 40 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Vendor Risk Management Ex 1 Populate Vendor Inventory Step 1: Click on the Launchpad at the top left Step 2: Click on the “Third-Party Risk Exchange” module Step 3: Click on the “Exchange” tab on the left menu Step 4: Click on OneTrust’s logo Step 5: Review the details of the company Step 6: Click the white “Add” button at the top right of the screen and then click “Confirm” Step 7: Click the Launchpad at the top left of the screen Step 8: Select the “Vendor Risk Management” module Step 9: Click “Vendors” under the “Inventory” header on the left menu Step 10: Click the name of the Vendor you just added (OneTrust) Step 11: Review how the data in the inventory matches what was in the Exchange Ex 2 Onboarding Workflow Step 1: Select the “Workflows” tab in the “Setup” section on the left menu Step 2: Select ‘View’ under the Vendor Workflows & Routing Rules tile Step 3: Select the ‘Default Onboarding’ workflow Step 4: Clone the workflow by clicking the blue “Clone” button in the top right Step 5: Name your workflow ‘XX: Default Onboarding’ Step 6: Then click the blue “Clone” button Step 7: Select the new workflow you created under the list of workflows Step 8: Select the “Under Evaluation Stage” Step 9: Click the “Workflow Rules” tab Step 10: Click the white “Add” button under “Event Triggers” Step 11: For “Trigger Name”, type in “Skip to In Review” Step 12: For “Trigger Type” select “Assessment Submitted” Step 13: Click the blue “Save” Button Step 14: In the middle, select the blue “Add Rule” button Step 15: For “Rule Name” type “Assessment Completed Stage Rule” Step 16: Under Conditions, set the trigger to “Assessment Stage – By Template” Step 17: Select “Completed” for the “Select Assessment Stage” dropdown Step 18: For AND, select the template “Vendor Privacy & Security Program Questionnaire (VRM)” Step 19: Under Actions set the stage as “In Review” Step 20: Then select the blue “Save” button Step 21: Select the blue “Publish” button at the top and then again in the middle Ex 3 Create an Engagement Step 1: Select “Engagements” on the left side of the screen Step 2: Click the blue “Add Engagement” button Step 3: For Engagement Name, type “Governance, Risk & Compliance” Page | 41 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Step 4: For Engagement Organization, select “OneTrust” Step 5: For Engagement Type, select “Vendor Engagement” Step 6: For Engagement Vendor, select “OneTrust” Step 7: Services add “Governance”, “Risk” & “Compliance” Step 8: Engagement Internal Owner, select yourself (Admin####) Step 9: For Engagement External Contact, add an email you have access to Step 10: For engagement notes, type “Software to support our organization’s GRC efforts” Step 11: Select the blue “Add” button in the bottom right Ex 4 Creating a Report Step 1: Click on the “Launch Pad” at the top left Step 2: Scroll to the bottom under “General Apps” section and select “Reports” Step 3: Select the blue “Create New” button at the top right of the screen Step 4: Under the “Data Source” column on the left, select “Vendor Management” Step 5: Select the report “Basic Vendor Review” Step 6: Click the blue “Next” button at the bottom right of screen Step 7: For “Report Name,” type “XX – Vendor Report” (XX = your initials) Step 8: Click the blue “Create” button at the bottom right of screen Step 9: Select the funnel icon at the top right of the grid Step 10: Click the blue “Add Filter” button Step 11: For Field, select “Classification” Step 12: Select “Active” for the value Step 13: Then select the blue “Save” button Step 14: Click on the blue “Apply” button Step 15: Click on the columns icon (just to the left of the funnel) Step 16: Search for “Risk Level” from “Available Fields” section on the left Step 17: Select the “>“ button to move it to the “Visible Fields” section on the right Step 18: Move the position of “Risk Level – Risk” up a few positions by using the “^” button on the right Step 19: Click the blue “Apply” button on the bottom right of the menu Step 20: Click the white “Save” icon at the top right of screen Step 21: Click the blue “Export” button at the top right of the screen Step 22: Select whether you want the report as an Excel or CSV file Note: The Notifications button at the top right (Bells button with a number in red) will notify you when you’re able to download the report) Ex 5 Offboard a Vendor Part 1 Step 1: Click the Launch Pad at the top left and go into the “Vendor Risk Management” module Step 2: Click the “Workflows” tab under the “Setup” section on the left menu Step 3: Click the blue “View” button in the “Vendor Workflows & Routing Rules” tile Step 4: Click on the “Default Offboarding” workflow name Step 5: Click the blue “Clone” button at the top right of the screen Page | 42 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Step 6: For Workflow Name, type in “High Risk Offboarding” Step 7: Click the blue “Clone” button at the bottom right of the menu Part 2 Step 1: Click into “High Risk Offboarding” workflow Step 2: At the top of the screen, click the “+” button between “In Review” and “Audit” Step 3: For Stage Title, type “Data Purge Verification” Step 4: Click the blue “Add” button at the bottom right of the menu Step 5: Click the “Stage Rules” tab at the top middle of the screen Step 6: Click the blue “Add Rule” button in the center of the screen Step 7: For Rule Name, enter “Data Purge” Step 8: For the Actions dropdown, select “Create Task” Step 9: For Name, type “Verify all essential data is purged from vendor and backed up onto secure storage” Step 10: Select an Assignee Step 11: Click the blue “Save” button at the bottom right of the menu Step 12: Click the blue “Publish” button at the top right of the screen Step 13: Click “Publish” in the center of the screen Enterprise Policy Management Ex 1 Add a Policy Step 1: Click on the Launch Pad at the top left of the screen Step 2: Click on the “Enterprise Policy Management” module Step 3: Click the “Policies” tab on the left side of the screen Step 4: Click the blue “Create Policy” button at the top right of the screen Step 5: Select the “Import from Gallery” option and click the blue “Next” button Step 6: In the Search Bar, type “Database” Step 7: Hover over the “SANS Database Credentials Coding Policy” tile and click the “Preview” button Step 8: Scroll through the contents then click the blue “Choose Policy” button at the bottom right Step 9: For Policy Name, type “Database Credentials Policy” Step 10: For Managing Organization, select “OneTrust” Step 11: Select a Policy Owner and Policy Approver Step 12: Click the blue “Create” button at the bottom right of the menu Ex 2 Add Controls to Enforce a Policy Step 1: Click on the “Policies” tab on the left menu Step 2: Click on the Policy you created Step 3: Click on the “Controls” tab at the top middle of the screen Step 4: Click the blue “Add Control” button in the center of the screen Step 5: For Standard/Framework, select “ISO/IEC 27001:2013 (27002)” on the left side of the menu Step 6: In the Search Bar at the top right, type “A9” Step 7: Check the box for “A9.1.1 Access control policy” Step 8: Scroll down to and check the box for “A9.2 User access management” Page | 43 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Step 9: In the Search Bar at the top right, type in A.9, Step 10: Check the box for “A.9 Access control” Step 11: Click the blue “Add” button at the bottom right of the menu Ex 3 Relate Vendors to Policy Step 1: Click on the “Policies” tab on the left menu Step 2: Select the policy you created Step 3: Click on the “Related” tab for that policy Step 4: Scroll down and click the “Add Related Vendor” button Step 5: Click on “Choose Vendor” and select a Vendor of your choice Step 6: Click the blue “Add Related” button Ex 4 Automate Reminder for Expiring Policies Step 1: On the left menu, select “Automation Rules” under the “Setup” section Step 2: Click the blue “Add Rule Group” button in the top right Step 3: For Rule Group Name, type “Policy Rules” Step 4: Select “OneTrust” as the Organization Step 5: Click the blue “Add” button Step 6: Click the blue “Add Rule” button Step 7: Select “Policy” on the the rule type drop down Step 8: Click the blue “Continue” button Step 9: For Rule name, type “Expiring Policy Rule” Step 10: Select “Daily” as the Frequency, click the black arrow to the right, then select a time of day of your choice Step 11: Under Conditions, set the trigger as “Attribute” Step 12: Select “Expiration Date” for the “Select Attribute” box Step 13: Select “Equal To” for the Operator Step 14: Add “7” for the “Number” box Step 15: Keep the “Days Before” option Step 16: Under Actions, select “Send Approval Reminder Email” from the drop down Step 17: Click the blue “Save” button in the bottom right Incidents Management Ex 1 Register an Incident Step 1: Click the Launch Pad in the top left and select “Incident Response” Step 2: Click the “Incident Register” tab on the left menu Step 3: Click the blue “Add New” button at the top right of the screen Step 4: For “Incident Type”, select “User Account Compromise” Step 5: For Organization, select “OneTrust” Step 6: For Name, type “Data via Unauthorized Access” Page | 44 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Step 7: For Description, type in a description of your choice Step 8: Choose any date from the past for the Date Occurred field Step 9: Choose any date between the Date Occurred and the current date/time for Date Discovered Step 10: Type in a root cause of your choice Step 11: Click the blue “Save” button at the bottom right Ex 2 Create a Workflow Part 1 Step 1: Click the “Workflows & Rules” tab in the “Setup” section on the left menu Step 2: Click “Default Workflow” Step 3: Click the white “Clone” button at the top right Step 4: For workflow name, type in “Data Incident Workflow” Step 5: Click the blue “Clone” button Part 2 Step 1: Click into your new workflow Step 2: At the top middle of the screen, click the “+” button in between “Investigating” and “Remediating” Step 3: For stage name, type “Risk Analysis” Step 4: Click the blue “Add” button at the bottom right of the menu Step 5: Click on the “Rules” tab Step 6: Click the blue “Add Rule” button in the center of the screen Step 7: For Rule Name, type in “Notification Rule” Step 8: For the Actions dropdown, select “Send Notification” Step 9: For recipients, type in your email and click “Assign to: <your email>” option in the dropdown list Step 10: For Subject, type “Data Incident Occurrence – Notify CIO” Step 11: For Body, type “There has been a data incident, please visit the incident register for more details” Step 12: Click the blue “Save” button at the bottom right of the screen Step 13: Click the blue “Publish” button at the top right of the screen Step 14: Click the blue “Publish” button in the center of the screen Part 3 Step 1: Click the “Workflows & Rules” tab on the left side of the screen Step 2: Click the “…” button to the far right of your new workflow Step 3: Select “Set as default” Step 4: Click the blue “Confirm” button Ex 3 Create a New Attribute & Link it to a New Web Form Part 1 Step 1: Click the “Attribute Manager” tab in the “Setup” section on the left menu Step 2: Click the blue “Add Attribute” button Step 3: Add a Name for the new attribute (“Incident Location”) Step 4: Add a Description as a question (“Where did the incident happen?”) Step 5: For Response Type, choose “Single Select” and add 3 cities on the right for options Step 6: Click on the blue “Save” button Page | 45 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Part 2 Step 1: Click the “Web Forms” tab under the “Setup” section on the left menu Step 2: Click the blue “Add New” button in the top right Step 3: Add a name (OneTrust Web Form) and click the blue “Create” button Step 4: For “Form Fields” section, add the following: Date Discovered, Data Occurred, Description, Incident Type, and the new attribute you created Step 5: In the “Form Styling” section, personalize your new Web Form header by adding a logo and changing the color Step 6: OPTIONAL – Edit the text in the “Form Text” section Step 7: Click on the white “Save Template” button in the top right Step 8: Click on the blue “Publish” button in the top right and then the center of the screen Step 9: Click on the white “Test” white button on the menu that appears Step 10: Fill the fields and click “Submit” Step 11: Exit the tab to return back to the original screen Ex 4 Link Incidents with Risk Step 1: Click the “Incident Register” tab on the left menu Step 2: Click into the incident you created in the previous exercise Step 3: Click on the “Risk Analysis” stage across the top Step 4: Click on the “More” tab and select “Risks” Step 5: Click the blue “Add Risk” button in the middle of the screen Step 6: Check the box on the left for the risk you created earlier Step 7: Click the blue “Link to Incident” button on the bottom right Step 8: Click on the blue “Advance” button to the “Complete” stage Audit Management Ex 1 Configure new Workflow and add a New Audit Part 1 Step 1: Click on the Launch Pad and select the “Audit Management” module Step 2: Click on "Workflows" tab on the left menu Step 3: Click the “View” button in the “Audit Workflows” tile Step 4: Click the (…) button for the “Default Audit Workflow” and select “Clone” Step 5: For “Workflow Name,” type “Internal 2022 Audit Workflow” and click the blue “Clone” button Step 6: Click into the newly created workflow Step 7: Between the “Field Work” and “Completed” stages, click the “+” button Step 8: For “Stage Title,” type "In Progress" and select the “Badge Color” to be blue (In Progress) Step 9: Click the blue “Add” button Step 10: Click “Publish” in the top right Step 11: Click Confirm Step 12: Click the blue hyperlink “Audit Workflows” in the top right Step 13: Click the (…) button for the new workflow, select "Set as default,” then click “Confirm” Page | 46 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Part 2 Step 1: Click on the “Audits” tab on the left menu Step 2: Click the blue “Create Audit” button at the top right Step 3: For Audit Name, type “Database Controls Audit 2022” Step 4: For Standard/Framework, select “ISO/IEC 27001:2013 (27002)” Step 5: For Organization, select “OneTrust” Step 6: Select yourself (Admin####) for both Auditor and Recipient Step 7: Click the blue “Next” button at the bottom right Step 8: Click the white “Select” button for the “Controls” row Step 9: Select a framework on the left side of the screen and check the boxes for several controls of your choice (Tip: Use A.9 Access Control, A.9 4.3 (2) Password Management System controls from earlier) Step 10: Click the blue “Submit” button at the bottom right Step 11: Click the blue “Next” button at the bottom right Step 12: On the “Assign Auditor(s) and Approver(s)” screen, check the top white box to the left of “Workpaper Name” Step 13: Click the white “Bulk Assign” button that appears in the top right Step 14: Input yourself as both Auditor and Approver Step 15: Click the blue “Assign” button at the bottom of the menu Step 16: Click the blue “Complete” button at the bottom right Step 17: Click the blue “Create” button in the center of the screen Ex 2 Create a Workpaper with New Attributes Part 1 Step 1: Click on Attribute Manager on the left menu Step 2: Click “View” in the “Workpaper Attributes” tile Step 3: Click the “Groups” tab at the top Step 4: Scroll to the bottom and click the white “Add Group” button Step 5: For Group Name, type “Testing Details” Step 6: Click the blue “Save” button Step 7: Click the blue “Add Attribute” button in the top right Step 8: For Name, type “Procedure” Step 9: For Description, type “What is the procedure used to test the control?” Step 10: For Response Type, select “Text” Step 11: Click the white “Save and Add Another” button Step 12: For Name, type “Testing Deadline” Step 13: For Description, type “What is the deadline to test the control?” Step 14: For Response Type, select “Date” Step 15: Click the blue “Save” button Step 16: Click the “Manage Attributes” button under the “Workpaper Attributes” Group we created Step 17: Move the 2 attributes we created from the left column to the right by selecting them and clicking the “>” button Page | 47 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Part 2 Step 1: Click the “Audits” tab on the left and select the audit we created Step 2: Click on the “Workpaper” tab, click into a Workpaper ID, and identify the attributes we created Step 3: Edit those two fields and click the blue “Save” button Step 4: Click on the “Tasks” tab across the top Step 5: Click “Advance” then “Confirm” at the top right to move the workflow to the “In Progress” stage Step 6: Click the blue “Add Task” button Step 7: For Task Name, type “Review Controls Implementation” Step 8: Select yourself as the Assignee Step 9: Click on the blue “Save” button Step 10: Click into the Task name, review options, and click “Mark as Completed” Step 11: Click on the blue “Advance” then “Confirm” buttons to the Complete stage Step 12: Go back to the Audit and click “Advance” and “Confirm” to the Complete stage Ex 3 Remediating a Finding Part 1 Step 1: Click the Audit we just completed Step 2: Click the “Findings” tab across the top Step 3: Click the blue “Log Finding” button Step 4: For “Finding Type,” select “Opportunity for Improvement” Step 5: For Finding, type “Only 3 unique fields for passwords” Step 6: Click the blue “Save” button at the bottom right Part 2 Step 1: Click the Finding ID number you just created Step 2: Scroll down and click under “Action Plan” to edit Step 3: In the Action Plan box, type “Use 5-7 unique fields for passwords” Step 4: Click the blue “Save” button at the bottom right Step 5: Click the blue “Advance” then “Confirm” buttons Step 6: Click the “Tasks” tab Step 7: Click the blue “Add Task” button Step 8: For “Task Name,” type “IT needs to configure more fields for passwords.” Step 9: Click Save Step 10: Click on the blue “Advance” then “Confirm” buttons to complete the audit Ex 4 Create an Audit Report Step 1: Click the Launch Pad Icon at the top left Step 2: Scroll down and select the “Reports” module Step 3: Click the blue “Create New” button at the top right Step 4: For “Data Source,” select “Audit Management” Step 5: Select the “Finding Default Column Report” option Step 6: Click the blue “Next” button at the bottom right Step 7: For Report Name, type “Audit Report 2022” Page | 48 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential. Step 8: Click the blue “Create” button at the bottom right Step 9: Make any desired changes to columns then click the white “Save” button at the top right Step 10: Click the blue “Export” button at the top right & select the “Excel” option Step 11: Click the “Close” button in the middle of the screen Step 12: Click the button with the bells at the top right of the screen Step 13: Click the report name to download the Excel file Page | 49 Copyright © 2022 OneTrust LLC. All rights reserved. Proprietary & Confidential.