SME Reviews
What are the three sme groups that are always involved in every TRA?
Infosec, DPO, I&O
Who is responsible for clearing out non-prescribed controls that were automatically created in OneTrust
the ORM analyst!
How is it determined which controls should be included on a CIW?
The controls prescribed to the associated technology during a TRA (as listed in OneTrust with the associated Asset)
What format is the CIA report created in currently?
Excel
This field indicates how long it's been since the last review
Date of last completed risk assessment
Is the AI Control Team involvement come before or after Annie's review?
After
Who determines the Projected Residual Risk for Confidentiality risk?
Infosec SME's
Who is responsible for filling out the control statuses in the CIW?
Project team
What three risk ratings are included in the CIA for each Risk type?
Inherent, projected residual and current residual
This field helps us understand what kind of assessment was conducted last
Version of last completed assessment
How do the majority of the SME's access the answers provided in the IRQ?
Accessing the IRQ directly in OneTrust
What tool/module in OneTrust do you use to export the data to create a report?
the Report Module
What resources are available to determine if the control was properly implemented
team trainings, experience with previous assessments, GCL guidance
Where can the reader see additional context for what was included in the associated TRA
The original assessment tab
This field helps us understand the data that was last assessed
Data classification level
What is ERM's preferred way for the SME's to ask questions of the project teams during review?
Information Request function within the IRQ in OneTrust.
change the filter for the risk shape
Is attestation (saying a control is implemented) enough to conduct the Control Implementation Assessment?
No, evidence for each control is required!
What are the two ways SME's can access a copy of the CIA report to review?
Email, teams channel
This field helps us understand what's been done about the risk
control status
Do we need to wait for all SME's to be done with their reviews prior to moving forward with a TRA?
Yes! Even if just a notification of no concerns/risks.
Who do we send the finished report to via the delivery email template?
Project team and their direct leadership up to and including their EVP. Bragging points, also any other people identified as stakeholders in the IRQ!
What would be acceptable evidence for the control requiring the creation of a training plan?
A copy of the training plan!
What are the two conditions that determine whether a DTAC is required after a CIA?
current residual of High or Critical, AI inclusion
This field helps us find additional context about the asset and the larger situation involved
Related Vendors