2020 vrm expert reference guide

OneTrust Certification Program Reference Guide
Vendor Risk Management
Page 2
Copyright © 2019 OneTrust LLC. All rights reserved. Proprietary & Confidential.
The training environment provided to you is only for use during the OneTrust Certification
Training Program. You will only have access to log in for the duration of training.
Training URL: training.onetrust.com
Please refer to your instructor for the password to your environment.
We recommend accessing the training environment in incognito/private browser mode.

Support and Resources
OneTrust CertificationProgram ReferenceGuide
Prepared For:
OneTrust Certification Program Vendor Risk Management Expert Attendees
Disclaimer
No part of this document may be reproduced in any form without the written permission of the copyright
owner.
The contents of this document are subject to revision without notice due to continued progress in
methodology, design, and manufacturing. OneTrust LLC shall have no liability for any error or damage of
any kind resulting from the use of this document.
OneTrust products, content and materials are for informational purposes only and not for the purpose of
providing legal advice. You should contact your attorney to obtain advice with respect to any particular
issue. OneTrust materials do not guarantee compliance with applicable laws and regulations.

Page 4
Introduction
Welcome to the OneTrust Certification Program Reference Guide, your comprehensive guide to
becoming a certified OneTrust privacy management professional.
OneTrust is the leading global software to operationalize data privacy compliance and Privacy by Design.
OneTrust automates privacy impact assessments and data mapping, identifies privacy risks, and enforces
risk management and control activities in an integrated and agile approach.
Our web-based software provides a central repository for privacy professionals to collaborate with
business groups, service providers and trusted advisors managing privacy risks across customer data,
employee data, and vendor data transfers.
The result is the ability to demonstrate accountability and compliance with EU’s data protection
requirements (GDPR, BCR, Privacy Shield), and globally across privacy jurisdictions and frameworks.

Page 5

Page 6
Table of Contents
Support and Resources................................................................................................................. 7
1 Support Resources...................................................................................................................................7
Vendor Risk Management.......................................................................................................... 10
1 Terminology .......................................................................................................................................... 12
2 Security Standards/Frameworks ......................................................................................................... 14
3 Regulation Overview............................................................................................................................. 16
4 Execution in OneTrust ......................................................................................................................... 18
Glossary ....................................................................................................................................... 30

Page 7
Support and Resources 7
1 Support Resources 8
1.1 Support Infrastructure 8
1.2 Support Documentation 9
1.3 Product Release Notes and Maintenance Notices 9

Page 8
1 Support Resources
1.1 Support Infrastructure
Request Support on Tenant
Submit a support desk ticket directly to the OneTrust Support Team through your tenant.
1. To get help from OneTrust support personnel, click on the question mark icon in the top navigation
and click Get Help.
2. Click Contact Us at the bottom of the window. Enter a message, Click the Element (if applicable)
and click Send. A member of our Support team will get back to you shortly.
Contact the OneTrust Support Team
• Email: support@onetrust.com
• Phone: +1 (844) 900-0472

Page 9
1.2 Support Documentation
✓ Email support@onetrust.com from your work email if you have any issues with access to the support
portal (https://my.onetrust.com/s/) and documentation.
✓ Email your OneTrust Account Executive or sales@onetrust.com from your work email for access to
the support portal (https://my.onetrust.com/s/) and documentation.
1.3 Product Release Notes and Maintenance Notices
Product release notes and maintenance notices are available in the support portal:
https://my.onetrust.com/s/ under Product Updates at the top of the page.
Subscribe to Product Release Notes with the following steps:
1. Select All Groups at the bottom of the page
2. Click on the Product Updates group
3. Select Join Group on the right side, then Manage Notifications to set the frequency of how
often you receive updates via email
Subscribe to Maintenance Notices with the following steps:
1. Select System Status and Scheduled Maintenance at the bottom of the page
2. Click on Subscribe, and enter contact information
3. Click Subscribe to Alerts

Page 10
Vendor Risk Management helps start and maintain a relationship with third-party service
providers through automated risk assessment, audit reporting, and by providing a centralized
location for all related documents, contracts, and historical data.

Page 11
Vendor Risk Management ...............................................................................................................7
1 Terminology..........................................................................................................................................12
2 Security Standards/Frameworks and Regulation Overview ............. Error! Bookmark not defined.
3 Execution in OneTrust........................................................................................................................18

Page 12
1 Terminology
Security Standards/Frameworks
A series of documented processes that are used to define policies and procedures around the
implementation and ongoing management of information security controls in an enterprise environment.
Controls
Are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to
physical property, information, computer systems, or other assets.
Inventory
A list or collection vendors, assets and processing activities
Attribute
A characteristic and information ascribed to and about a Vendor
Vendor Record
A data record containing information about a vendor in the form of attributes.
Conditional Logic
Logic that can be added to an assessment that allows for a more seamless workflow, letting the
respondent skip/show questions that are not applicable based on responses from questions within
the questionnaire.
Rules Logic
Logic can be added to an assessment used to flag risks, automatically launch assessments based on
responses selected from specific questions.
Vendor
A person or company that sells and/or provides goods and services.

Page 13
Engagement
A single implementation, purchase of software, service(s) or solutions. An engagement does not have to be
tied to a contractual agreement.
Automation Rules
Are used to complete multiple actions based on one or more triggers to streamline the re-
assessment process and notify all stakeholders of the assessment taking place.

Page 14
2 Security Standards/Frameworks
GAPP – Generally Accepted Privacy Principles
A framework intended to assist Chartered Accountants and Certified Public Accountants in
creating an effective privacy program for managing and preventing privacy risks.
The framework was developed through joint consultation between the Canadian Institute of
Chartered Accountants (CICA) and the American Institute of Certified Public
Accountants (AICPA).
AICPA TSC 2017 – The American Institute of Certified Public
Accountants (AICPA) – Trust Services Criteria (TSC) 2017
The framework presents control criteria for use in attestation or consulting engagements to
evaluate and report on controls over the security, availability, processing integrity, confidentiality, or
privacy over information and systems.
Issued by the AICPA Assurance Services Executive Committee (ASEC).
FedRAMP – The Federal Risk and Authorization Management
Program
A government-wide program that provides a standardized approach to security assessment,
authorization, and continuous monitoring for cloud products and services.
The governing bodies of FedRamp include: JAB, OMB, CIO Council, FedRAMP PIO, DHS, and NIST.
ISO 27001 – International Organization for Standardization (ISO)
27001
ISO 27001 formally known as ISO/IEC 27001:2005) is a specification for an information security
management system (ISMS).
Issued and maintained by International Organization for Standardization.
ISO 29001 – International Organization for Standardization 29001

Page 15
ISO 29001 defines the quality management system for product and service supply organizations for
the petroleum, petrochemical and natural gas industries.
NIST 800-171 – The National Institute of Standards and Technology
The NIST Special Publication 800-171 governs Controlled Unclassified Information (CUI) in Non-
Federal Information Systems and Organizations.
NIST SP 800-53 rev4 – The National Institute of Standards and
Technology
A framework catalog of security controls for federal information systems and organizations and
assessment procedures.
German Standard Data Protection Model
A framework designed to assist data protection authorities (DPA) in becoming transparent with
systematically verifying compliance to personal data protection law.

Page 16
3 Regulation Overview
GDPR Importance
GDPR Articles 28, 29 and 32 require organizations to ensure their
third party vendors sufficiently safeguard their data.
Combined with third party data breaches increases the need to reduce vendor
risk and prioritize privacy compliance.
CCPA Importance
Under current California law, businesses are required to “implement
and maintain reasonable security procedures” and “to protect the personal
information from unauthorized access, destruction, use, modification
or disclosure.
The CCPA increases fines and penalties for violations of existing law so that
businesses are held responsible for safeguarding personal information
if the business chooses to collect it.

Page 17
Proprietary/Internal
Proprietary/Internal
Best Practices
Copyright © 2019 OneTrust LLC. 60
Manage Controls Library Review and add additional
security frameworks and
controls necessary for vendors
compliance.
Determine what the framework
is appropriate for
implementation.
Select the control that applies
to risk.

Page 18
4 Execution in OneTrust

Page 19
4.1 Add Vendor Attribute
✓ Navigate to Vendor Management → Attribute Manger → Vendor Attributes
✓ Add text attribute “Vendor Website”
✓ Save the attribute

Page 20

Page 21

Page 22
4.2 Add Vendor and Services from Vendorpedia Exchange
✓ Navigate to Vendor Management → Vendorpedia: Exchange
✓ Add OneTrust to Vendors
✓ Select all products and services under OneTrust
✓ Add additional services under Salesforce vendor from Exchange
✓ Select Datorama and Einstein Analytics for Products/Services under Certificates tab of vendor
profile in Exchange

Page 23

Page 24

Page 25

Page 26

Page 27

Page 28
4.3 Create Questionnaire
✓ Navigate to Vendor Management → Setup: Templates
✓ Create your own template named “Preliminary Vendor Assessment”
✓ Add a section named “General Vendor Information”
✓ Add an Inventory Question – “Vendor Name”
✓ Add an Attribute Question – “Vendor Website”

Page 29

Page 30

Page 31

Page 32

Page 33
4.4 Add Controls
✓ Navigate to Vendor Management → Vendors
✓ Click on the vendor RingCentral and go to the Assessments tab
✓ Open the “RingCentral Review” assessment
✓ Click on the Risk Flag in the top right corner → Find the ‘Controls’ tab → Click on ‘Add Control’

Page 34

Page 35
4.5 Add Engagement
✓ Click on the vendor Salesforce and go to the Engagements tab
✓ Add Engagement
✓ Engagement Name – “Business Intelligence Implementation – Sales and Marketing”
✓ Start Date – Today’s Date
✓ End Date – One Year from Today’s Date
✓ Services – Einstein Analytics
✓ Engagement Internal Owner – Assign to Me

Page 36

Page 37
4.6 Add Automation Rule
✓ Navigate to Vendor Management → Setup: Automation Rules
✓ Add a rule group called “Follow-up Vendor Assessments” and select Vendor rule type
✓ Add a Rule named “Yearly Vendor Re-assessment”
✓ Set the conditions → Last Completion Date – By Template → “Vendor Privacy Review”
✓ Action → Send Vendor Assessment → “Vendor Privacy Review”
✓ Set deadline, approver, and respondent

Page 38

Page 39
4.7 Add Vendor Contract
✓ Click on the vendor Workday and go to the Documents tab
✓ Add Contract
✓ Contract Name – “Workday MSA”
✓ Contract Type – Master Service Agreement
✓ Date Created – Today’s Date
✓ Status – In Progress

Page 40

Page 41
4.8 Create Custom Dashboard
✓ Navigate to Dashboards module
✓ Click Create New
✓ Dashboard Name – “Vendor Information”
✓ Visible Module – Vendor Management
✓ Select Template 2
✓ Add Widget displaying Vendors by Type
✓ Group By: Inventory → Vendors → Type
✓ Add Widget displaying Vendor Assessments by Stages
✓ Group By: Assessment → All Templates → Stages

Page 42

Page 43

Page 44

Page 45

Page 46
Glossary
A
Adequacy Decision – A declaration made by the European Commission that a country outside of the EEU
offers an adequate level of protection, and therefore is acceptable for cross-border data transfers.
Affirmative Act – A clear action taken that indicates consent has been given, is not passive.
Asset – Anything that can store or process personal data. This can include an application, website, database,
or even a filing cabinet.
Asset Map – A visual map that shows the location of all assets.
Automated Decision Making – Making a decision or creating a profile based completely on technological
means without human involvement
B
Binding Corporate Rules (BCRs) – A set of strict and binding rules put in place by multinational companies
and organizations that describe how personal data must be processed and protected. This allows the
transfer of personal data outside the EEA, without having an Adequacy Decision. Data may be transferred
between countries but must remain within the organization.
Biometric Data – A “special category” of data relating to physical, physiological, or behavioral characteristics
of a person that can identify or confirm identity of a person.
C
California Consumer Protection Act (CCPA) – Signed into law in 2018, to be affective in 2020, this act
introduces new privacy rights for individuals living within the state of California. First sweeping privacy law in
the United States.
Cookies – A small text file that a website may drop on a user’s device for the sake of tracking certain
categories of information.
Cookies (1st
Party) – Cookies dropped by the website the user is visiting.
Cookies (3rd
Party) – Cookies dropped by a website or company different than the one the user is visiting.
Most commonly, targeting or social media cookies.
Cookies (Persistent) – Cookies that continue to live on a user’s device after they have left the website from
which the cookie was dropped.

Page 47
Cookies (Session) – Cookies that are no longer active after a user leaves a website or ends a session with
the website.
Consent – Any freely given, specific, informed and unambiguous indication that the data subject agrees to
specific processing. Consent must be as easy to withdraw as it is to give. Consent must be given through
Affirmative Action.
Controller – The entity that determines the purposes, conditions and means of the processing of personal
data.
D
Data Element – Pieces of collected information that together, build a complete look at Data.
Data Erasure – Also known as the Right to be Forgotten, it entitles the data subject to have the data
controller erase their personal data, stop further dissemination of the data, and potentially have third
parties stop processing of the data.
Data Portability – The requirement for controllers to provide the data subject with a copy of the data
they’ve provided to the controller. The provided data must be easy to read and can be given to the data
subject directly, or to another controller upon request.
Data Protection Officer (DPO) – An expert on data privacy who works independently within an
organization to ensure compliance with GDPR policies and procedures.
Data Protection Impact Assessment (DPIA) – An assessment required under GDPR, used to identify,
assess, and mitigate risks within an organization’s data processing policies and activities.
Data Subject – A natural person whose personal data is processed by a controller or processor.
Derogation – An exemption or exception from a law.
Directive – A legislative act that sets out a goal for all EU countries to achieve, but each country can meet
this goal in their own way, with their own national laws.
E
ePrivacy Directive – A directive passed in 2002 and amended in 2009 that addresses privacy regarding
digital communication, digital marketing, and cookies.
Encrypted Data – Personal data that is protected through technological measures to ensure that the data is
only accessible/readable by those with specified access.

Page 48
European Data Protection Board (EDPB) – Formerly known as Article 29 Working Party (A29 WP), it is an
advisory body made up of DPAs from each EU member state and the European Commission.
F
Freely Given – Consent is considered freely given if the data subject is able to exercise a real choice, and
there are no risk significant negative consequences if they do not give consent.
G
General Data Protection Regulation (GDPR) – A regulation on data protection and privacy for all residents
of the European Economic Area. Passed in 2016, in effect in 2018.
Genetic Data – Data pertaining to unique information about the health or physiology of an individual.
I
Informed – Having all necessary information needed to make a conscious decision or giving consent.
M
Main Establishment – A location, chosen by the data controller, for a company or organization where it is
headquartered and therefore subject to any local laws or directives.
P
Personal Data – Any information related to a natural person or ‘Data Subject’, that can be used to directly or
indirectly identify the person.
Personal Data Breach – A breach of security leading to the accidental or unlawful access to, destruction,
misuse, etc. of personal data.
Processor – An entity that processes data on behalf of a Data Controller, considered a third party.
Privacy by Design (PbD) – A principle that calls for the inclusion of data protection from the onset of the
designing of systems, rather than as an addition.
Privacy Impact Assessment – A tool used to identify and reduce the privacy risks of organizations by
analyzing the personal data that are processed and the policies that are in place to protect the data.
Processing – Any activity performed on personal data, whether or not by automated means, including
collection, use, recording, etc.
Profiling – Any automated processing of personal data intended to evaluate, analyze, or predict data subject
behavior, is done without human interference.

Page 49
Pseudonymization – taking away key identifiers out of personal data so that alone, it cannot be attributed
to one single individual. The data is still not completely anonymous but is not identifiable without other
pieces of data.
R
Recipient – The entity to which the personal data is disclosed.
Records of Processing Activities (RoPA) – Each data controller must have a detailed record of all
processing activities that are acted upon data that they have collected. Sometimes called an “Article 30
Report.”
Regulation – A binding legislative act that must be applied in specifically spelled out ways, in its entirety,
across the European Union.
Restriction of Processing – A right of a data subject to limit the future processing of their stored personal
data.
Right to be Forgotten – Also known as Data Erasure, it entitles the data subject to have the data controller
erase their personal data, cease further dissemination of the data, and potentially have third parties cease
processing of the data.
Right to Access – Also known as Subject Access Right, it entitles the data subject to have access to and
information about the personal data that a controller has concerning them.
S
Specific – Consent cannot be gathered for broad or unspecified uses. The data subject must give consent for
specific and clearly spelled out uses and must be consulted if the use changes.
Supervisory Authority (SA) – A public authority which is established by a member state that oversees the
execution of GDPR regulations.
U
Unambiguous – Data subject consent must be the given affirmatively and without doubt. The data subject
must have clear understanding of what their data will be used for, and it must be obvious that the data
subject has consented to the particular processing.

2020 vrm expert reference guide

More Related Content

What's hot (20)

Similar to 2020 vrm expert reference guide (20)

More from AnkitKumar250429 (6)

Recently uploaded (20)

2020 vrm expert reference guide