Privacy assessment configurations
To perform a processing activity criticality and privacy risk assessment, two risk assessment methodologies (RAMs) are provided by default.
The RAM is a configuration or a record in the risk assessment engine. It is a part of the Advanced Risk application. The RAM is used for assessing either the risks or objects in your organization. A configured RAM is an object with associated assessment types that have associated factors. This allows an organization to have different methodologies for assessing risk. To understand more about the factors or questions used in the assessments, refer to Factors in Advanced Risk Assessment.
The privacy-specific RAM records have the Domain field set to Privacy. As a privacy administrator, you can make a copy of the default RAMs and modify them. To understand more about RAM
configurations, refer to Configure a risk assessment methodology. To understand how you can make a copy of a RAM, refer to and Copy a risk assessment methodology.
Note:
Because only two RAMs are permitted for use at a time, you must retire the old criticality RAM and publish the new RAM to utilize the criticality automation.
It is important to consider the following points when performing risk assessments.
- In the Privacy domain, you can only modify a RAM. Creation of a RAM is not permitted.
- Only two active RAMs are allowed. If you must copy or modify more than two RAMs, you must retire one.
- The RAM can be configured and its order can be modified according to your requirements.
- Users with the following roles can perform the privacy-related criticality and detailed
privacy risk assessments.
- Privacy business user (sn_privacy.business_user)
- Privacy analyst who owns the processing activity
- Privacy assessment responder (sn_privacy.assessment_responder)
- Privacy manager (sn_privacy.manager)