GRCPro Handbook v2023.1.4

OneTrust GRC Professional
Certification Program Handbook
GRC & Security

Assurance
DISCLAIMER:
No part of this document may be reproduced in any form without the written permission of the copyright owner.
The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. OneTrust LLC shall have no
Proprietary/Internal
liability for any error or damage of any kind resulting from the use of this document.
OneTrust products, content and materials are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain
advice with respect to any particular issue.
OneTrust GRC Professional Reference Guide
The training environment assigned to you is only provided for training and certification purposes
You will have access to login for the duration of the training and approximatively 5 days after the training
URL: training.onetrust.com
Please refer to your instructor for the username/password to your assigned environment
2
Contents
OneTrust GRC Certification Program Reference Guide ................................................................................. 7
Introduction...................................................................................................................................................... 7
Resources & Support....................................................................................................................................... 8
Sales ............................................................................................................................................................. 8
Technical Support ........................................................................................................................................ 8
Partner Support ............................................................................................................................................ 8
MyOneTrust .................................................................................................................................................. 9
Tenant Support Request .............................................................................................................................. 9
Terminology & Frameworks Overview ........................................................................................................ 10
What is Governance? ................................................................................................................................. 10
What is Risk? .............................................................................................................................................. 10
What is Compliance? ................................................................................................................................. 10
Common Terminology............................................................................................................................... 11
Commonly Used Frameworks ................................................................................................................... 11
Organizations, Roles, & Users ...................................................................................................................... 12
Adding a User Exercise.............................................................................................................................. 12
IT Risk Management: Elements & Inventories ............................................................................................. 13
Overview..................................................................................................................................................... 13
Elements ................................................................................................................................................. 13
Elements Example .................................................................................................................................. 14
Inventories .............................................................................................................................................. 14
Best Practices ............................................................................................................................................. 15
Execution .................................................................................................................................................... 15
Risk Scoring Methodology ..................................................................................................................... 15
Adding Controls ...................................................................................................................................... 15
Create an Asset & Processing Activity .................................................................................................. 15
Prepare for Common Risks .................................................................................................................... 16
IT Risk Management: Assessment & Risk Management ............................................................................. 17
Overview..................................................................................................................................................... 17
Example .................................................................................................................................................. 17
Assessment & Risk Lifecycles ................................................................................................................... 18
Best Practices ............................................................................................................................................. 18
Execution .................................................................................................................................................... 19
Delivering Assessments ......................................................................................................................... 19
3
Managing Risks ...................................................................................................................................... 19

Configure Automation Rule ................................................................................................................... 19
Third-Party Risk Management ...................................................................................................................... 20
Overview..................................................................................................................................................... 20
Best Practices ............................................................................................................................................. 20
Execution .................................................................................................................................................... 21
Add Vendor via Exchange ...................................................................................................................... 21
Create an Onboarding Vendor Workflow .............................................................................................. 21
Add an Engagement ............................................................................................................................... 21
Enterprise Policy Management ..................................................................................................................... 22
Overview..................................................................................................................................................... 22
What do policies do? .............................................................................................................................. 22
Why do we need them?.......................................................................................................................... 22
Policy Workflow ...................................................................................................................................... 22
Best Practices ............................................................................................................................................. 23
Execution .................................................................................................................................................... 23
Add a Policy ............................................................................................................................................ 23
Adding Controls to a Policy ................................................................................................................... 23
Relate a Vendor ...................................................................................................................................... 23
Create an Automation Rule .................................................................................................................... 24
Incidents Management .................................................................................................................................. 25
Overview..................................................................................................................................................... 25
Best Practices ............................................................................................................................................. 26
Execution .................................................................................................................................................... 26
Create Custom Incident Type ................................................................................................................. 26
Create an Incident Workflow .................................................................................................................. 26
Create a New Attribute & Web Form ..................................................................................................... 27
Link Incident to a Risk ............................................................................................................................. 27
Audit Management ........................................................................................................................................ 28
Overview..................................................................................................................................................... 28
Objective ................................................................................................................................................. 28
Best Practices ............................................................................................................................................. 28
Execution .................................................................................................................................................... 29
Create a New Audit................................................................................................................................. 29
Add a New Attribute & Complete a Workpaper .................................................................................... 29
Remediate a Finding ............................................................................................................................... 29
4
Create an Audit Report ........................................................................................................................... 29

Glossary ......................................................................................................................................................... 30
A .................................................................................................................................................................. 30
B .................................................................................................................................................................. 30
C .................................................................................................................................................................. 30
D .................................................................................................................................................................. 31
E .................................................................................................................................................................. 31
F .................................................................................................................................................................. 31
G .................................................................................................................................................................. 31
I ................................................................................................................................................................... 32
N .................................................................................................................................................................. 32
P .................................................................................................................................................................. 32
R .................................................................................................................................................................. 32
S .................................................................................................................................................................. 32
T .................................................................................................................................................................. 33
V .................................................................................................................................................................. 33
W ................................................................................................................................................................. 33
Detailed Exercise Steps ................................................................................................................................. 34
Users & Roles ............................................................................................................................................. 34
User Setup .............................................................................................................................................. 34
ITRM: Inventories & Elements ................................................................................................................... 35
Risk Scoring Methodology ..................................................................................................................... 35
Adding Controls ...................................................................................................................................... 35
Create an Asset & Processing Activity .................................................................................................. 36
Prepare for Common Risks .................................................................................................................... 37
ITRM: Assessments & Risk Management ................................................................................................. 38
Delivering Assessments ......................................................................................................................... 38
Managing Risks ...................................................................................................................................... 39
Configure Automation Rules.................................................................................................................. 39
Third-Party Risk Management ................................................................................................................... 40
Populate Vendor Inventory .................................................................................................................... 40
Create an Onboarding Workflow ........................................................................................................... 40
Add an Engagement ............................................................................................................................... 41
Enterprise Policy Management ................................................................................................................. 42
Add a New Policy.................................................................................................................................... 42
Add Controls to a Policy ......................................................................................................................... 42
Relate Policy to a Vendor ....................................................................................................................... 43
5
Create an Automation Rule .................................................................................................................... 43

Incident Management ................................................................................................................................ 44
Create a Custom Incident Type .............................................................................................................. 44
Create an Incident Workflow .................................................................................................................. 44
Create a new Attribute & Webform ....................................................................................................... 45
Link an Incident to a Risk........................................................................................................................ 46
Audit Management .................................................................................................................................... 46
Create a new Audit ................................................................................................................................. 46
Create New Attributes & Complete a Workpaper ................................................................................. 47
Remediate a Finding ............................................................................................................................... 48
Run an Audit Report ............................................................................................................................... 49
6
OneTrust GRC Certification Program Reference Guide
Prepared for:
OneTrust GRC Professional Certification Attendees
Version 9.0
Introduction
Welcome to the OneTrust GRC Certification Program Reference Guide, your comprehensive guide to
becoming a certified OneTrust GRC professional.
While OneTrust is the leading global software to operationalize data privacy compliance and Privacy by Design,
OneTrust also offers a Governance, Risk, and Compliance Solution (GRC). OneTrust GRC Integrated Risk
Management is a suite of integrated risk management products to identify, measure, mitigate, monitor, and
report on risk across operations.
7
Resources & Support

Sales
• Email: Sales@onetrust.com
• Phone Numbers:
o London: +44 (800) 011-9778
o Atlanta: +1 (844) 228-4440
o Munich: +49 (175) 371-2983
Technical Support
• Email: support@onetrust.com
• Phone Number: +1 (844) 900-0472
Partner Support
• Email: partnersupport@onetrust.com
This partner support can assist with:
1. Scheduling Client Demonstrations
2. Submitting an RFI/RFP with OneTrust
3. Client Referrals
4. Account Strategy & Alignment
5. Additional Resources & Collateral
Other resources include:

1. Product Demonstration Videos
2. OneTrust Overview Brochure
3. How OneTrust Helps with GDPR Whitepaper
4. SmartPrivacy Workshops Registration
5. OneTrust Pricing Model
8
MyOneTrust
• Website: my.OneTrust.com
My OneTrust is a platform that can be accessed by all OneTrust customers for additional resources which
include, but it not limited to:
1. OneTrust Knowledge
2. Release Notes
3. Schedule Maintenance
4. Live System Status
5. Submit a Ticket
6. Developer Portal
7. Get OneTrust Certified
Tenant Support Request

You can submit a support desk ticket directly to the OneTrust Support Team through your tenant by following
these steps:
1. Log into OneTrust
2. Click the Launch Pad in the top left corner
3. Click “Get Help” in the bottom right of the menu
4. Use the knowledge portal to search for solutions
5. If no solutions are found, click the “Contact Us” button
6. Fill out your inquiry in the message portal that appears
7. Click “Send”
9
Terminology & Frameworks Overview

What is Governance?
Governance is defined as the way rules, norms, and actions are structured, sustained, regulated, and held
accountable.
Governance Initiatives
What is Risk?
Risk is defined as the possibility or chance of loss, adverse effect(s), danger, or injury.
Risk Initiatives
What is Compliance?
Compliance is the act of ensuring your company and employees follow the laws, regulations, standards, and
ethical practices that apply to your organization.
Compliance Initiatives
10
Common Terminology
• Security Standards/Framework - A series of documented processes that are used to define policies
and procedures around the implementation and ongoing management of information security controls
in an enterprise environment
• Controls Library - Includes controls from recognized frameworks and custom controls which your
organization can use to evaluate and describe the security and privacy requirements you have for
vendors within the OneTrust application
• Control Implementations - Safeguards or countermeasure to avoid, detect, counteract, or minimize
security risks to physical property, information, computer systems, or other assets. An organization can
use controls to evaluate and describe the security and privacy requirements necessary for vendors.
Commonly Used Frameworks
11
Organizations, Roles, & Users

Organizations, Roles, and Users are the settings that will impact the user experience in the system. When
creating a new User, in which an individual will require to log into the platform, that user must be associated
with at least one of each of the following:
• Organization – controls what data the users will have access to
o Organizations are configured in a hierarchical tree
• Role – controls what modules and processes the user will have access to
o Roles are individually configured with many base roles pre-configured in the system. Each role
is given specific permissions which can be filtered by module
Adding a User Exercise

Adding users appropriately is important. Their access should be balanced - restricted enough so they can’t see
or interact with data in ways outside of their responsibility, while not too restricted to where they are unable to
perform their job. This balance is able to be achieved by proper user association of Roles and Organizations.
12
IT Risk Management: Elements & Inventories

IT Risk Management is defined as the set of Policies, Procedures, as well as the technology that an
organization puts into place to reduce threats, vulnerabilities, and other results caused by having unprotected
data. OneTrust can assist our customers’ IT Risk Management efforts by supplying efficient tools to define
and track risks to apply mitigating measures towards those risks. This chapter focuses on anticipating
common risks that your organization may face and preparing the tool to be ready to manage these risks by
thoroughly configuring your Controls Library, Elements, and Inventories.
Overview
Elements
• Asset – any item of value to your business

• Risk – potential for loss, damage, or destruction of an asset as a result of a threat exploiting a
vulnerability
• Threat – anything that can exploit a vulnerability, either intentionally or accidentally, and obtain damage
or destroy an asset
• Vulnerability – a weakness or gap in a security program that can be exploited by threats to gain
unauthorized access to an asset
• Control – an attribute or element (either real or conceptual) that acts as a mitigating factor to reduce
risk
13
Elements Example
Inventories
14
Best Practices
Execution
Risk Scoring Methodology

OneTrust includes a couple risk scoring methodologies. The selected method would need to be decided and
understood across several teams. When using the Risk Scoring Matrix, several items of that matrix can be
configured to meet your organization’s needs.
Adding Controls
The OneTrust Tool provides users with a Controls Library with the ability to add controls from multiple
standards/frameworks or from scratch to be associated with inventory items such as Assets, Processing
Activities, Vendors, Entities, and Risks, themselves. The controls in this library also extend into other GRC
modules, such as Audit Management.
Create an Asset & Processing Activity

While there are multiple ways to add inventory items, this exercise will use the manual interface. The
OneTrust tool gives our customers the ability not only to add and track inventory items, but to relate them
together to create a web of information. Risks are then able to be applied to all of these individual inventory
items, no matter the type.
15
Prepare for Common Risks

Once inventory items are configured and business processes determined, Assessment Templates should be
reviewed and/or created. Within these templates, identifications of question responses that could mean risk
should be made. For these answers, rules can be put in place to auto-create risks in the system with pre-
assigned controls for swift management.
16
IT Risk Management: Assessment & Risk Management

In this module, we focus on using GRC Assessments to obtain information about our inventory items and
identify risks as well as mitigating these risks by use of the Risk Lifecycle.
Overview
A GRC Assessment can be defined as a survey that gathers evidence to determine risk. In simple form, GRC
assessments verify answers and provide access to key data:
• Is this control implemented?
• Attach piece of evidence
• Explain
Example
ISO 27001: the international standard that describes best practices for implementing and maintaining an ISMS
(information security management system). An ISO27001 Risk Assessment is essential to that process and is
a core component of this standard. This type of risk assessment helps organizations:
• Understand specific scenarios that would result in their data being compromised
• Assess the damages these scenarios could cause
• Determine how the likelihood of these scenarios happening
17
Assessment & Risk Lifecycles
Best Practices
18
Execution
Delivering Assessments
Once the best respondents have been determined, we need to send them the questionnaire template we
created previously. Once a template is sent to a respondent, it’s called an Assessment. In this exercise, we
will launch an assessment to ourselves so that we can then see the Respondent’s side of how to complete
and submit the answers to an approver.
Managing Risks
Assessment responses can trigger the system to auto-create risks because of built in rule logic which means
the next step is to remediate the risk.
Configure Automation Rule

Now that we’ve sent an assessment, have gotten it answered, then identified and managed a risk, we want
to make sure we continue to monitor both the risk and inventory items in the future. To do this, we can
automate the sending of assessments by use of various triggers. When that trigger (called a Condition) is met,
the system will send another assessment to the specified respondent and the processes we’ve practiced in
this lesson will continue.
19
Third-Party Risk Management

While business relationships with third-party vendors can often align with your organization's goals, it
unfortunately also has the potential to lead to similar types of threats, vulnerabilities, and risks that we
discussed in prior modules. This module covers an overview, best practices, and practical steps in the
OneTrust tool to help organizations in efforts to manage these factors.
Overview
Best Practices
20
Execution
Add Vendor via Exchange

Adding vendors to the Vendor inventory allows for many different areas of management within the system,
including sending vendor assessments, updating the data mapping module, associating risks to vendors, and
more. Vendors can manually be added directly into the inventory, populated in bulk via a downloadable
template, or through the Vendorpedia Exchange, which is the process that this exercise details.
Create an Onboarding Vendor Workflow

Similar to how we worked through specific stages to mitigate a risk, custom stages can be built to create a
Workflow. Workflows give a centralized location for teams to work on and achieve a specific goal. Key parts of
a vendor’s lifecycle with a company can have workflows created, such as onboarding, as this exercise will
detail. Within these workflows, you’re able to add either:
• Workflow Rules – changes which workflow stage you’re on based on conditions in the system
• Stage Rules – creates a risk, notification, task, etc. based on a condition in the system
Add an Engagement
Engagements give clarity about specific relationships and obligations you have with a third party. Instead of
associating risks, workflows, assessments, and more at the higher-level Vendor level, you can do this work at
the more detailed Engagement level, giving you a clearer picture of your enterprise environment and ability to
work at a more granular level of specificity.
21
Enterprise Policy Management

The Enterprise Policy Management module provides a centralized process for creating and managing policies,
standards, and internal control procedures that are cross-mapped to external regulations and best practices.
The policy inventory is used to capture internal policies for an organization.
Policies can also be linked to controls, related to an inventory, and you can manage all policies centrally in one
location. Policies help with managing the end-to-end policy workflow, from the creation of new policies to
retiring policies that are no longer needed.
Overview
What do policies do?

Clarify expected output & behavior of an organization's members in the context specific to that organization
(groups can include employees, volunteers, and other members (board members, etc.)
Why do we need them?

• Guide daily workplace activities
• Promote Compliance with laws & regulations
• Provide Strategic viewpoint of decision making
• Aid in simplification of processes
Policy Workflow
22
Best Practices
Execution
Add a Policy
Policies can be created in OneTrust through various methods, including loaded in via template, built from
scratch, or by editing a pre-built template within the tool. These policies can then be edited, revised, reported
on, and linked with controls to define processes of different types that your organization practices to keep
GRC protocols top of mind.
Adding Controls to a Policy

Once policies are created, they can be linked with controls to ensure proper implementation and continued
efficacy. Those controls can be from a Standard/Framework or ones that were manually configured in the
Controls Library (as was demonstrated the IT Risk Management module).
Relate a Vendor
Policies can extend beyond the bounds of the organization and look outward towards relationships with
vendors. Similar to how risks can be linked to inventory items, or even how controls can be linked to Policies,
Policies can be linked to Vendors that have been added to the Vendor Inventory.
23
Create an Automation Rule

As the workflow in the overview shows, Policies eventually come to an end. This could be due to the end of a
process or because it’s time to review and update the details. No matter the reason, a rule can be created in
the system that will automatically remind specified users when a policy is coming up on its expiration date and
is configured similarly to how we created risks to be auto-created through assessments.
24
Incidents Management
When incidents occur, it’s best to have the means to respond to and mitigate them. This module includes a
module overview, best practices, and practical steps within the tool to help organizations manage incident
recording, notification, processing, as well as useful associations for mitigation.
Overview
A Breach Response Plan is a continually tested guideline for organizations to follow each time a breach is
discovered. It should determine:
• Specific recording methods
• Directly Responsible Individuals (DRIs)
• Designated workflows
25
Best Practices
Execution
Create Custom Incident Type

Incident Types not only provide details about the incident that occurred, but can also be used to drive
automation within an incident workflow, as we’ll see in the next exercise. If there’s an incident type that you
expect to encounter that not an out-of-box option in OneTrust, you can create this type in the platform.
Creating a new type will automatically update the attribute, thus updating any attribute question type used for
this purpose.
Create an Incident Workflow

Incident Workflows are a series of configurable steps that help organizations manage incidents with rule-
based notifications, tasks, attachments, a centralized communication portal, and more with the ability to
assign specific owners to key items. All these tools allow for teams to properly mitigate incidents, and their
associate risks, in a timely fashion. Organizations can create multiple workflows to meet the variety of
incidents that can occur.
26
Create a New Attribute & Web Form

The Attribute Manager allows users to create and view attributes (both active and inactive) and create new
custom attributes. Active attributes can be added to assessments to gather more information about the
incidents. Users can also group like attributes to appear during the incident creation on the details screen.
Web Forms can be built within OneTrust and used by external users via a link or a website, if it has been
embedded, to submit incidents directly to the Incident Register.
Link Incident to a Risk

Users can easily view and manage all associated risks to an incident by linking the two together in the Risk
Register.
27
Audit Management
OneTrust’s Audit Management module enables a risk-based approach to an organization’s GRC audit efforts to
recognize the scope of business practices, their impact, and where proposed measures for improvement can
be effectively implemented.
Overview
The Audit Management Module automates the workstreams of audit teams, optimizing resources and
productivity. It is an assessment of methods and policies of an organization's management in the
administration and the use of resources, tactical and strategic planning, and employee and organizational
improvement.
Objective
• Simplify and organize the workflow and collaboration process of compiling audits
• Ensuring that board-approved audit directives are implemented
Best Practices
28
Execution
Create a New Audit

New audits can be created in the Audit Management tool by entering the following:
• Audit name
• Standard/Framework
• Organization
• Auditors & Approvers
• Scope
Once created, details and scope can be added and updated, attachments can be uploaded, tasks can be
completed, workpapers can be created, and findings can be documented.
Add a New Attribute & Complete a Workpaper

Workpapers provide auditors a centralized location to document and manage both work and findings by
providing access to existing evidence, assessments, and control implementations. Pre-made and/or custom
attributes on workpapers create flexibility and alignment with an organization’s needs.
Remediate a Finding
A Finding is a compliance issue and/or gap identified that an auditor that’s documented on a workpaper and
has its own management workflow. Actions can be documented for each finding for remediation purposes on
an Action Plan.
Create an Audit Report

Audit reports can display details about all audits in the system. Reports can be created using a pre-configured
template with Audit Management as the data source or manually via a Custom Report option.
29
Glossary
A
Assessment – A list of questions assigned to a respondent within the OneTrust tool that requires a response
by the respondent(s) and subsequent approval by an assigned approver(s)
Asset – Anything that can store or process personal data. This can include an application, website, database,
or even physical storage. In GRC, this can also be defined as an item of value to a business
Audit – An official inspection and independent review of information within an organization conducted with a
view to express an opinion thereon
B
Breach Response Plan - provides guidelines for organizations to follow each time a breach is discovered. It is
the employment of specific recording of the incident, assignments of directly responsible individuals, and use
of process workflows for use in responding to an incident
C
Controller – The entity that determines the purposes, conditions, and means of the processing of personal
data
Controls – They are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to
physical property, information, computer systems, or other assets
Controls Library - Includes controls from recognized frameworks and custom controls that your organization
can use to evaluate and describe the security and privacy requirements you have within the OneTrust
application
Compliance - the act of ensuring your company and employees follow the laws, regulations, standards, and
ethical practices that apply to your organization
30
Cloud Security Alliance (CSA) - an industry organization dedicated to helping “ensure a secure cloud
computing environment” – founded in 2009
CSA Cloud Controls Matrix (CCM) - a cybersecurity control framework for cloud computing, composed of 133
control objectives that are structured in 16 domains covering all key aspects of the cloud technology
D
Data Element – Pieces of collected information that together, build a complete look at Data
Data Subject – A natural person whose personal data is processed by a controller or processor
E
Encrypted Data – Personal data that is protected through technological measures to ensure that the data is
only accessible/readable by those with specified access
Entity – A registered business involved in and responsible for data processing
F
Finding – An issue and/or compliance gap identified by an auditor through an audit work paper
Fed RAMP – The Federal Risk and Authorization Management Program - A government-wide program that
provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud
products and services. The governing bodies of Fed Ramp include: JAB, OMB, CIO Council, FedRAMP PIO,
DHS, and NIST
G
General Data Protection Regulation (GDPR) – A regulation on data protection and privacy for all residents of
the European Economic Area. Passed in 2016, in effect in 2018
Governance - the way rules, norms & actions are structured, sustained, regulated, and held accountable
31
I
ISO 27001 - International Organization for Standardization (ISO) 27001 - formally known as ISO/IEC
27001:2005) is a specification for an information security management system (ISMS). Issued and maintained
by International Organization for Standardization.
ISO 29001 – International Organization for Standardization (ISO) 29001 - ISO 29001 defines the quality
management system for product and service supply organizations for the petroleum, petrochemical, and
natural gas industries
IT Risk Management - The set of Policies, Procedures, as well as the technology that an organization puts into
place to reduce threats, vulnerabilities, and other results caused by having unprotected data
N
NIST 800-171 - The National Institute of Standards and Technology - The NIST Special Publication 800-171
governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations
P
Policy – Clarifies expected output & behavior of an organization's members in the context specific to that
organization (groups can include employees, volunteers, and other members (board members, etc.)
Processing Activity – An activity where data is touched stored or moved
R
Risk - is defined as the possibility or chance of loss, adverse effect(s), danger, or injury
Risk Register – A central list that includes all risks created within a variety of portions of the OneTrust tool
S
Security Standards/Framework - A series of documented processes that are used to define policies and
procedures around the implementation and ongoing management of information security controls in an
enterprise environment
32
T
Template – A list of questions pre-populated in the OneTrust tool that can be created or modified and assigned
to someone as an assessment
Threat - Anything that can exploit a vulnerability, either intentionally or accidentally and obtain damage or
destroy an asset
V
Vendor – A third-party service provider
Vendorpedia Exchange – a library of vendors within the OneTrust tool that contains detailed security and
privacy profiles of thousands of global vendors. Each profile provides extensive information on the vendor
details, services, and related certificates
Vulnerability – Defined as weaknesses or gaps in a security program that can be exploited by threats to gain
unauthorized access to an asset
W
Workpaper – Workpapers provide auditors a central location to manage audit work for compliance control.
Auditors can access existing evidence, assessments, and control implementations to build their view of a
control’s effectiveness
33
Detailed Exercise Steps

Users & Roles
User Setup
Step 1: Click the “Global Settings” gear cog icon at the top right of the screen
Step 2: Click the “Users” tab on the left menu
Step 3: Click the blue “Add User” button on the top right of the screen
Step 4: Add a first name and last name (use an imaginary character or your own)
Step 5: Add your own Email Address
Step 6: Click the blue “Next” button at the bottom right of the screen
Step 7: Click the blue “Add Role” button in the center of the screen
Step 8: Click on the “Role” field and select “Assessments Manager”
Step 9: For Organization, select OneTrust, then click the white “Save and Add New” button
Step 10: Go back to Role, and select “Auditor” then click white “Save and Add New” button
Step 11: Go back to Role, and select “Enterprise Policy Manager” then click white “Save and Add New”
button
Step 12: Go back to Role, and select “Incidents Manager” then click white “Save and Add New” button
Step 13: Go back to Role, and select “IT Risk Manager” then click white “Save and Add New” button
Step 14: Go back to Role, and select “Vendor Manager” and this time click the blue “Add” button at the
bottom right of the screen
Step 15: Click the blue “Create” button at the bottom right of the screen
34
ITRM: Inventories & Elements
Risk Scoring Methodology

Step 1: Click the “Launch Pad” (grid icon) at the top left of the screen
Step 2: Click on the IT & Security Risk Management Module
Step 3: Click the “Settings” tab on the menu on the left
Step 4: Click the Scoring Methodology dropdown and select either Matrix or Standard
Note: If you choose Standard, the next steps are not necessary
Step 5: If you chose Matrix, click the green plus buttons to add a new column and row – label them both
“Urgent”
Step 6: Make the furthest top right square read 9 instead of 8.
Step 7: Scroll down to the Risk Level Ranges bar and then drag the yellow marker to 4, the pink marker to 6,
and the red marker to 8.
Step 8: Click the blue “Save” button at the bottom right of the screen and click “Save” again on the pop-up
window
Adding Controls
Part 1
Step 1: Click the “Launch Pad” at the top left of the screen
Step 2: Click on the IT & Security Risk Management module
Step 3: Click the “Libraries” tab on the left side of the screen to expand that section
Step 4: Click the “Controls Library” tab
Step 5: Click the blue “Add New” button at the top right of the screen
Step 6: For Control ID, type “A.9 4.3 (2)”
Step 7: For Name, type “Password Management System”
Step 8: For Status, select “Active”
Step 9: For Standard/Framework, select “ISO/IEC 27001:2013 (27002)” from the list
Step 10: Click the blue “Save” button at the bottom right of the menu
35
Part 2
Step 1: Click the white “Add Standard/Framework” button at the top right of the screen
Step 2: Type “NIST” into the search bar at the top right of the screen and click enter
Step 3: Click on “NIST Cybersecurity Framework (CSF) Core v1.1”
Step 4: Click the blue “Add” button at the bottom right of the menu
Create an Asset & Processing Activity

Part 1
Step 1: Click the “Assets” tab on the left side of the screen under the “Inventory” section
Step 3: For Name, type “Payroll Database”
Step 4: For Managing Organization, select “OneTrust”
Step 5: For Hosting Location, select a country of your choice
Step 6: For Type, select “Database” from the list
Part 2
Step 1: Click the “Processing Activities” tab on the left side of the screen under the “Inventory” section
Step 3: For Name, type in “Monthly Compensation Calculation”
Part 3
Step 1: Click the “Related” tab near the top of the newly created Processing Activity from Part 2
Step 2: Scroll down to the “Related Assets” section and click “Add Related Asset”
Step 3: Click the “Choose an asset” box and select the asset you created in Part 1
Step 4: Check the “Related” box under the “How is asset related?” section
Step 5: Click the blue “Add Related” button
36
Prepare for Common Risks

Part 1
Step 1: Expand the “Setup” section on the left menu
Step 2: Click the “Templates” tab
Step 3: Click the “View” button in the ITRM Templates box
Step 4: Click the blue “Choose from Gallery” button in the top right
Step 5: Type “Asset Discovery” in the search bar at the top
Step 6: Hover over “Asset Discovery Questionnaire – 2.4” and click the blue “Preview” button
Step 7: Click “Choose This Template” in the bottom right
Step 8: Add your initials to the front of the name (“XXX – Asset Discovery Questionnaire – 2.4”)
Step 9: Click “Create Template” in the bottom right
Part 2
Step 1: Click the arrow to the far right of the first section (Asset Information) to view all the questions within.
Step 2: Drag the “Yes/No” Question Type box from the left and drop it in between questions 1.1 and 1.2
(make sure to drop it in the blue box that appears that reads “Drop Question Here”)
Step 3: In the “Question” field, type “Is access to this asset restricted to only individuals that require
access?”
Step 4: Click the blue “Save” button in the bottom right
Part 3
Step 1: Click the “Rules” tab near the top of the screen & click the “Add Rule” button
Step 2: Name the rule “No Access Control”
Step 3: Populate the “Trigger” box with “Question”
Step 4: Populate the newly clickable “Question” box with the Yes/No question you just created
Step 5: Populate the “Operator” box with “Equal To”
Step 6: Populate the “Response” box with “No”
Step 7: In the “Select an Action” box, choose “Create Risk”
Step 8: Click the circle for “Create New Risk”
Step 9: Give the risk an Inherent Risk Level & Description (“Access to asset is not limited to only those that
require access.”)
37
Step 10: Click the “Add Risk Control” button near the bottom & select “ISO/IEC 27001:2013 (27002)” on the
left
Step 11: Check the boxes for “A.9: Access Control” and “A9.1.1: Access Control Policy” then click “Add”
Step 12: Click “Save” in the bottom right
Step 13: Click “Publish” in the top right
Step 14: Click “Confirm” near the middle
ITRM: Assessments & Risk Management
Delivering Assessments
Part 1
Step 1: Click on the "Active" tab under the "Assessments” section on the left menu
Step 2: Click the blue “Launch Assessment” button at the top right of the screen
Step 3: Select the Template you previously published
Step 4: For Name, enter “Payroll Database Required Review”
Step 5: For Organization, select “OneTrust”
Step 6: For Primary Record Type, select “Assets”
Step 7: For Primary Record, select the asset you created (Payroll Database) from the list
Step 8: Select yourself (Admin###) for both Respondent and Approver
Step 9: Click the blue “Launch” button at the bottom right of the screen
Part 2
Step 1: Click the “Asset Information” section on the left
Step 2: Answer the question you created with “No”
Step 3: Answer a few more questions (main question requiring an answer is the one you created)
Step 4: Click the blue “Submit” button in the bottom right
Step 5: Click the blue “Confirm” button
38
Managing Risks
Step 1: Click the “Risk Register” tab on the left menu
Step 2: Click the ID of the risk that got created by submitting the assessment (#189)
Step 3: Advance your risk to the “Treatment” phase by clicking “Advance”
Step 4: Enter a Risk Owner (Assign to Me) and a Treatment Plan of your choice (Ex: Create and assign an
access control policy to this asset)
Step 5: Click the “Save & Advance” button
Step 6: At the top right of the screen, click the white “Request Exception” button.
Step 7: For comments, enter “Access to this database is open for all, but within the asset there are restricted
areas to select employees.”
Step 8: Click the blue “Submit” button
Step 9: Click the blue “Grant Exception” button at the top right of the screen menu.
Step 10: For Result, select “Reduced,” or a result of your choice
Step 11: Change the “Residual Risk Level” to a lower score
Configure Automation Rules

Part 1
Step 1: Click the “Automation Rules” tab inside the "Setup" section on the left menu
Step 2: Click the blue “Add Rule Group” button at the top right of the screen
Step 3: For Rule Group Name, enter “Asset Rule Group”
Part 2
Step 1: Click the blue “Add Rule” button at the center of the screen
Step 2: For the “Select a Rule Type” dropdown, select “Asset”
Step 3: Click the blue “Continue” button
Step 4: For Rule Name, type in “Asset Review Rule”
39
Step 5: For Frequency Run on the drop-down menu select “Daily”

Step 6: For the Trigger dropdown, select “Last Assessment Completion Date – By Template.”
Step 7: For Operator dropdown, select “Equal To.”
Step 8: For Number, enter 180 (180 days are approximately 6 months)
Step 9: Click the “Select a Template” field and click the template name that you chose earlier
Step 10: For the “Actions” dropdown, select “Send Asset Assessment”
Step 11: Click into the “Template Name” field & select the template you created earlier
Step 12: Click the blue “Save” button at the bottom right of the screen.
Third-Party Risk Management
Populate Vendor Inventory

Step 1: Click on the Launchpad at the top left
Step 2: Click on the “Third-Party Risk Exchange” module
Step 3: Click on the “Exchange” tab on the left menu
Step 4: Click on OneTrust’s logo
Step 5: Review the details of the company
Step 6: Click the white “Add” button at the top right of the screen and then click “Confirm”
Step 7: Click the Launchpad at the top left of the screen
Step 8: Select the “Third-Party Risk Management” module
Step 9: Click “Vendors” under the “Inventory” header on the left menu
Step 10: Click the name of the Vendor you just added (OneTrust)
Step 11: Review how the data in the inventory matches what was in the Exchange
Create an Onboarding Workflow

Step 1: Select the “Workflows” tab in the “Setup” section on the left menu
Step 2: Select ‘View’ under the Vendor Workflows & Routing Rules tile
Step 3: Select the ‘Default Onboarding’ workflow
Step 4: Clone the workflow by clicking the blue “Clone” button in the top right
40
Step 5: Name your workflow ‘XX: Default Onboarding’

Step 6: Then click the blue “Clone” button
Step 7: Select the new workflow you created under the list of workflows
Step 8: Select the “Under Evaluation Stage”
Step 9: Click the “Workflow Rules” tab
Step 10: Click the white “Add” button under “Event Triggers”
Step 11: For “Trigger Name”, type in “Skip to In Review”
Step 12: For “Trigger Type” select “Assessment Submitted”
Step 13: Click the blue “Save” Button
Step 14: In the middle, select the blue “Add Rule” button
Step 15: For “Rule Name” type “Assessment Completed Stage Rule”
Step 16: Under Conditions, set the trigger to “Assessment Stage – By Template”
Step 17: Select “Completed” for the “Select Assessment Stage” dropdown
Step 18: For AND, select the template “Vendor Privacy & Security Program Questionnaire (VRM)”
Step 19: Under Actions set the stage as “In Review”
Step 20: Then select the blue “Save” button
Step 21: Select the blue “Publish” button at the top and then again in the middle
Add an Engagement
Step 1: Select “Engagements” on the left side of the screen
Step 2: Click the blue “Add Engagement” button
Step 3: For Engagement Name, type “Governance, Risk & Compliance”
Step 4: For Engagement Organization, select “OneTrust”
Step 5: For Engagement Type, select “Vendor Engagement”
Step 6: For Engagement Vendor, select “OneTrust”
Step 7: Services add “Governance”, “Risk” & “Compliance”
Step 8: Engagement Internal Owner, select yourself (Admin####)
Step 9: For Engagement External Contact, add an email you have access to
41
Step 10: For engagement notes, type “Software to support our organization’s GRC efforts”
Step 11: Select the blue “Add” button in the bottom right
Enterprise Policy Management
Add a New Policy

Step 1: Click on the Launch Pad at the top left of the screen
Step 2: Click on the “Enterprise Policy Management” module
Step 3: Click the “Policies” tab on the left side of the screen
Step 4: Click the blue “Create Policy” button at the top right of the screen
Step 5: Select the “Import from Gallery” option and click the blue “Next” button
Step 6: Click the white “Choose From Gallery” button in the top right corner
Step 7: In the Search Bar, type “Database”
Step 8: Hover over the “SANS Database Credentials Coding Policy” tile and click the “Preview” button
Step 9: Scroll through the contents then click the blue “Choose Policy” button at the bottom right
Step 10: For Policy Name, type “Database Credentials Policy”
Step 12: Select a Policy Owner and Policy Approver
Step 13: Click the blue “Create” button at the bottom right of the menu
Add Controls to a Policy

Step 1: Click on the “Policies” tab on the left menu
Step 2: Click on the Policy you created
Step 3: Click on the “Controls” tab at the top middle of the screen
Step 4: Click the blue “Add Control” button in the center of the screen
Step 5: For Standard/Framework, select “ISO/IEC 27001:2013 (27002)” on the left side of the menu
Step 6: In the Search Bar at the top right, type “A9”
Step 7: Check the box for “A9.1.1 Access control policy”
Step 8: Scroll down to and check the box for “A9.2 User access management”
42
Step 9: In the Search Bar at the top right, type in A.9,

Step 10: Check the box for “A.9 Access control”
Relate Policy to a Vendor

Step 1: Click on the “Policies” tab on the left menu
Step 2: Select the policy you created
Step 3: Click on the “Related” tab for that policy
Step 4: Scroll down and click the “Add Related Vendor” button
Step 5: Click on “Choose Vendor” and select a Vendor of your choice
Step 6: Click the blue “Add Related” button
Create an Automation Rule

Step 1: On the left menu, select “Automation Rules” under the “Setup” section
Step 2: Click the blue “Add Rule Group” button in the top right
Step 3: For Rule Group Name, type “Policy Rules”
Step 4: Select “OneTrust” as the Organization
Step 5: Click the blue “Add” button
Step 6: Click the blue “Add Rule” button
Step 7: Select “Policy” on the rule type drop down
Step 8: Click the blue “Continue” button
Step 9: For Rule name, type “Policy Reminder”
Step 10: Select “Daily” as the Frequency, click the black arrow to the right, then select a time of day of your
choice
Step 11: Under Conditions, set the trigger as “Attribute”
Step 12: Select “Effective Date” for the “Select Attribute” box
Step 13: Select “Equal To” for the Operator
Step 14: Add “7” for the “Number” box
43
Step 15: Keep the “Days Before” option

Step 16: Under Actions, select “Send Approval Reminder Email” from the drop down
Incident Management
Create a Custom Incident Type

Step 1: Click the Launch Pad in the top left and select the Incident Management module
Step 2: Under Setup on the left menu, click on Incident Types tab
Step 3: Click the blue "Add New" button
Step 4: Add a new Incident Type option, for example: "Natural Disaster"
Step 5: Click blue Save Attribute button
Create an Incident Workflow

Part 1
Step 1: Click the “Workflows & Rules” tab in the “Setup” section on the left menu
Step 2: Click “Default Workflow”
Step 3: Click the white “Clone” button at the top right
Step 4: For workflow name, type in “Data Incident Workflow”
Step 5: Click the blue “Clone” button
Part 2
Step 1: Click into your new workflow
Step 2: At the top middle of the screen, click the “+” button in between “Investigating” and “Remediating”
Step 3: For stage name, type “Risk Analysis”
Step 5: Click on the “Rules” tab
Step 6: Click the blue “Add Rule” button in the center of the screen
Step 7: For Rule Name, type in “Notification Rule”
44
Step 8: For the Actions dropdown, select “Send Notification”

Step 9: For recipients, set the dropdown to “System User” then type in your email and click “Assign to: <your
email>” option in the dropdown list
Step 10: For Subject, type “Data Incident Occurrence – Notify CIO”
Step 11: For Body, type “There has been a data incident, please visit the incident register for more details”
Step 12: Click the blue “Save” button at the bottom right of the screen
Step 13: Click the blue “Publish” button at the top right of the screen
Step 14: Click the blue “Publish” button in the center of the screen
Part 3
Step 1: Click the “Workflows & Rules” tab on the left side of the screen
Step 2: Click the “…” button to the far right of your new workflow
Step 3: Select “Set as default”
Create a new Attribute & Webform

Part 1
Step 1: Click the “Attribute Manager” tab in the “Setup” section on the left menu
Step 2: Click the blue “Add Attribute” button
Step 3: Add a Name for the new attribute (“Incident Location”)
Step 4: Add a Description as a question (“Where did the incident happen?”)
Step 5: For Response Type, choose “Single Select” and add 3 cities on the right for options
Step 6: Click on the blue “Save” button
Part 2
Step 1: Click the “Web Forms” tab under the “Setup” section on the left menu
Step 2: Click the blue “Add New” button in the top right
Step 3: Add a name (OneTrust Web Form) and click the blue “Create” button
Step 4: For “Form Fields” section, add the following: Date Discovered, Data Occurred, Description, Incident
Type, and the new attribute you created
Step 5: In the “Form Styling” section, personalize your new Web Form header by adding a logo and changing
the color
45
Step 6: OPTIONAL – Edit the text in the “Form Text” section

Step 7: Click on the white “Save Template” button in the top right
Step 8: Click on the blue “Publish” button in the top right and then the center of the screen
Step 9: Click on the white “Test” white button on the menu that appears
Step 10: Fill the fields and click “Submit”
Step 11: Exit the tab to return back to the original screen
Link an Incident to a Risk

Step 1: Click the “Incident Register” tab on the left menu
Step 2: Click into the incident you created in the previous exercise
Step 3: Click on the “Risk Analysis” stage across the top
Step 4: Click on the “More” tab and select “Risks”
Step 5: Click the blue “Add Risk” button in the middle of the screen
Step 6: Check the box on the left for the risk you created earlier
Step 7: Click the blue “Link to Incident” button on the bottom right
Audit Management
Create a new Audit

Step 1: Click on the “Audits” tab on the left menu
Step 2: Click the blue “Create Audit” button at the top right
Step 3: For Audit Name, type “Database Controls Audit”
Step 4: For Standard/Framework, select “ISO/IEC 27001:2013 (27002)”
Step 6: Select yourself (Admin####) for both Auditor and Recipient
Step 7: Click the blue “Next” button at the bottom right
Step 8: Click the white “Select” button for the “Controls” row
Step 9: Select a framework on the left side of the screen and check the boxes for several controls of your
choice
(Tip: Use A.9 Access Control, A.9 4.3 (2) Password Management System controls from earlier)
46
Step 10: Click the blue “Submit” button at the bottom right
Step 12: On the “Assign Auditor(s) and Approver(s)” screen, check the top white box to the left of
“Workpaper Name”
Step 13: Click the white “Bulk Assign” button that appears in the top right
Step 14: Input yourself as both Auditor and Approver
Step 15: Click the blue “Assign” button at the bottom of the menu
Step 16: Click the blue “Complete” button at the bottom right
Step 17: Click the blue “Create” button in the center of the screen
Create New Attributes & Complete a Workpaper

Part 1
Step 1: Click on Attribute Manager on the left menu
Step 2: Click “View” in the “Workpaper Attributes” tile
Step 3: Click the “Groups” tab at the top
Step 4: Scroll to the bottom and click the white “Add Group” button
Step 5: For Group Name, type “Testing Details”
Step 6: Click the blue “Save” button
Step 7: Click the blue “Add Attribute” button in the top right
Step 8: For Name, type “Procedure”
Step 9: For Description, type “What is the procedure used to test the control?”
Step 10: For Response Type, select “Text”
Step 11: Click the white “Save and Add Another” button
Step 12: For Name, type “Testing Deadline”
Step 13: For Description, type “What is the deadline to test the control?”
Step 14: For Response Type, select “Date”
Step 15: Click the blue “Save” button
Step 16: Click the “Manage Attributes” button under the “Workpaper Attributes” Group we created
47
Step 17: Move the 2 attributes we created from the left column to the right by selecting them and clicking the
“>” button
Part 2
Step 1: Click the “Audits” tab on the left and select the audit we created
Step 2: Click on the “Workpaper” tab, click into a Workpaper ID, and identify the attributes we created
Step 3: Edit those two fields and click the blue “Save” button
Step 4: Click on the “Tasks” tab across the top
Step 5: Click “Advance” then “Confirm” at the top right to move the workflow to the “In Progress” stage
Step 6: Click the blue “Add Task” button
Step 7: For Task Name, type “Review Controls Implementation”
Step 8: Select yourself as the Assignee
Step 9: Click on the blue “Save” button
Step 10: Click into the Task name, review options, and click “Mark as Completed”
Step 11: Click on the blue “Advance” then “Confirm” buttons to the Complete stage
Remediate a Finding
Part 1
Step 1: Click the Audit we just completed
Step 2: Click the “Findings” tab across the top
Step 3: Click the blue “Log Finding” button
Step 4: For “Finding Type,” select “Opportunity for Improvement”
Step 5: For Finding, type “Only 3 unique fields for passwords”
Step 6: Click the blue “Save” button at the bottom right
Part 2
Step 1: Click the Finding ID number you just created
Step 2: Scroll down and click under “Action Plan” to edit
Step 3: In the Action Plan box, type “Use 5-7 unique fields for passwords”
Step 4: Click the blue “Save” button at the bottom right
48
Step 5: Click the blue “Advance” then “Confirm” buttons

Step 6: Click the “Tasks” tab
Step 7: Click the blue “Add Task” button
Step 8: For “Task Name,” type “IT needs to configure more fields for passwords.”
Step 9: Click Save
Step 10: Click on the blue “Advance” then “Confirm” buttons to complete the finding
Run an Audit Report

Step 1: Click the Launch Pad Icon at the top left
Step 2: Scroll down and select the “Reports” module
Step 3: Click the blue “Create New” button at the top right
Step 4: For “Data Source,” select “Audit Management”
Step 5: Select the “Finding Default Column Report” option
Step 7: For Report Name, type “Audit Report 2022”
Step 8: Click the blue “Create” button at the bottom right
Step 9: Make any desired changes to columns then click the white “Save” button at the top right
Step 10: Click the blue “Export” button at the top right & select the “Excel” option
Step 11: Click the “Close” button in the middle of the screen
Step 12: Click the button with the bells at the top right of the screen
Step 13: Click the report name to download the Excel file
49

GRCPro Handbook v2023.1.4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GRCPro Handbook v2023.1.4

Uploaded by

Copyright:

Available Formats

OneTrust GRC Professional

Certification Program Handbook

GRC & Security

Managing Risks ...................................................................................................................................... 19

Create an Audit Report ........................................................................................................................... 29

Create an Automation Rule .................................................................................................................... 43

OneTrust GRC Certification Program Reference Guide

Resources & Support

Other resources include:

Tenant Support Request

Terminology & Frameworks Overview

Commonly Used Frameworks

Organizations, Roles, & Users

Adding a User Exercise

IT Risk Management: Elements & Inventories

• Asset – any item of value to your business

Risk Scoring Methodology

Create an Asset & Processing Activity

Prepare for Common Risks

IT Risk Management: Assessment & Risk Management

Assessment & Risk Lifecycles

Configure Automation Rule

Third-Party Risk Management

Add Vendor via Exchange

Create an Onboarding Vendor Workflow

Enterprise Policy Management

What do policies do?

Why do we need them?

Adding Controls to a Policy

Create an Automation Rule

Create Custom Incident Type

Create an Incident Workflow

Create a New Attribute & Web Form

Link Incident to a Risk

Create a New Audit

Add a New Attribute & Complete a Workpaper

Create an Audit Report

Entity – A registered business involved in and responsible for data processing

Processing Activity – An activity where data is touched stored or moved

Detailed Exercise Steps

ITRM: Inventories & Elements

Risk Scoring Methodology

Create an Asset & Processing Activity

Prepare for Common Risks

ITRM: Assessments & Risk Management

Configure Automation Rules

Step 5: For Frequency Run on the drop-down menu select “Daily”

Third-Party Risk Management

Populate Vendor Inventory

Create an Onboarding Workflow

Step 5: Name your workflow ‘XX: Default Onboarding’

Enterprise Policy Management

Add a New Policy

Add Controls to a Policy

Step 9: In the Search Bar at the top right, type in A.9,

Relate Policy to a Vendor

Create an Automation Rule

Step 15: Keep the “Days Before” option

Create a Custom Incident Type

Create an Incident Workflow

Step 8: For the Actions dropdown, select “Send Notification”

Create a new Attribute & Webform

Step 6: OPTIONAL – Edit the text in the “Form Text” section