True or False: TRA's cannot be launched prior to a TPRA being completed.
False
What are the two required attachments for the IRQ
App Map and Use Cases
What is the minimum level of leadership we are looking for to represent a project/technology Executive Sponsor?
GVP and up
What should be the focus of the high-level description question in section 1 of the IRQ?
what the technology is!
How would an analyst know what risk types they are responsible for flagging?
They aren't responsible for flagging, the automation does it.
How would you know if a new asset needs to be created for a TRA?
If there's no matching asset listing in OT.
How do respondents get a copy of the use case template?
Click the link in the IRQ question!
What is an example of a non-fi managed device a technology could be accessed by?
personal laptop, phone, desktop
What should an analyst do if the target go-live date listed is the same day the IRQ was submitted?
Reach out to the project team to set reasonable expectations for the completion of the TRA/CIA, and setting the go-live date to account for at least that time.
How is the analyst supposed to create risks for the asset being assessed?
Selecting "Finish Review" to change the IRQ status to completed. The automation creates the risks.
How do you create all of the Jira tickets for the TRA
Create an epic and include "TRA - " at the front of the epic name.
What do we do if a project team submits an alternative architecture map that they feel is better than the app map template?
kindly ask for them to complete the app map using the official template.
What is an easy way to determine whether a technology is Cloud or on-prem?
Cloud technologies often require accessing them via a web-browser, whereas on-prem will just be locally installed and access on your desktop.
What is the difference between the entities using the tech and the entities being supported by the tech?
supported just means they benefit from someone else directly using it.
Where would the analyst find how to set the impact and likelihood of a risk?
The IRQ Guide document
When would you include a "v[X]" in the name of the IRQ?
If we have already conducted at least one prior TRA on the asset before.
What is the desired nature of the use cases, what should each use case describe?
processes executed via the technology
What is the definition of a non-technical integration?
Other technologies that are sending data to or receiving data from this technology only through manual actions by a fisher employee.
What are the three AI natures asked about in the IRQ?
Agentic, Generative, Machine Learning/predictive
How do analyst prescribe the default controls for a given risk type?
closing the IRQ, the controls are automated as well!
How do you know who to set as the respondent of an IRQ for a new technology?
It should be the primary contact for the project, likely the person who filled out the TPOF. They may ask to add additional people to it.
Who can we refer project teams to for help completing the app map?
Brett Brown!
What does it mean for a cloud server to be public?
other accounts are also housed on the same server. our data is not public!
How would an analyst know whether or not they should challenge the answers for the impact questions if all the answers are 1's on the 6 point scale?
What question in the IRQ determines the impact of Confidentiality risk?
The Data Elements question.