Understanding the Pre-Loaded Assessments in BeyData Librarian

Assessment Definition Editor

Assessment Definition Editor

BeyData Librarian helps you to conduct Risk Assessments for common Privacy and Security concerns, Regulatory Compliance or just to understand where your data is and who has access to the same.  Each module is meant to either stand alone or be used with another assessment or Assessment block.

The base assessments shipped are:

  • System Id –  The system ID assessment allows you to define a system, documenting all its contact points, identifying the subject matter expert, and not only determining its primary locations but its overall geographical reach.  What is also significant about this assessment is that it creates a data inventory catalog card of every system being assessed.  These catalog entries can be used for reporting or contact call sheets.
  • Data Sovereignty – This Assessment deals directly with the questions of where the data is received, used, stored, and backed up and whether the data is in the cloud. It looks at the origination of the data and considers where there are requirements to keep that data in country.
  • Consent – The consent Assessment deals with how consent is obtained, how consent is documented, if consent is limited, and how the specific dataset is marked with consent. This is tied closely to purpose limitation, at which time the “reason” for holding this data is also documented along with a project on for how long it should be retained.
  • DPIA Module – The Data Protection Impact Assessment is a Grouped Assessment. By grouped we mean it combines multiple assessments into one assessment workflow. Both Data Sovereignty and Consent are assessments called from this assessment definition.  This Represents a complete Assessment versus building blocks.  When using a sub assessment, you have an important option. You can choose to wait for the sub assessment to complete or continue with the assessment.  Now with sub assessments it is important to have an assessment name that you can recognize.  Because of this the main assessment is always listed as the parent. For Example, the DPIA Module calls both Consent and Data Sovereignty.  So when you are using the Assessments you will see child assessments if an Assessment is called SampleDPIA and it launches a Consent Assessment Module the Consent module will be indicated as SampleDPIA.Consent .
  • Third Party Assessment – this assessment module deals with third party basics such as Identifying all third-party entities and what entities use the data. Additionally, it lets you indicate who is responsible for assuring proper use of data in the system and, if applicable, for determining what data can be shared with other parties and systems. It also allows you to define any policies and procedures been established for this responsibility and accountability.
  • Data Access and Sharing – This Assessment module evaluates data access and sharing and it additionally determines if data is external and who has access.  This assessment module calls the Third-Party Assessment and Third-Party Access Assessment.
  • Data Security – This assessment module deals with how the data in the system verified for accuracy, timeliness, and completeness. It also allows you to identify what administrative and technical controls are in place to protect the data from unauthorized access and misuse.
  • Maintenance and Retention – This assessment module deals specifically with Data Maintenance and Retention. The questions also address the maintenance and retention of records, the creation of reports on individuals, and whether a system of records is being created under the Privacy Act, 5 U.S.C. 522a.
  • Business Processes – This assessment deals with data collection, whether the data is in the cloud, Backedup, Sovereignty and sharing, data aggregation, potential profiling. It also deals with what controls are in place to protect the newly derived data from unauthorized access or use. It also deals with technologies, monitoring and types of corporate harm. It also asks the obvious question, “Did the completion of this Data PIA result in changes to business processes or technology? “
  • Access Third Party Assessment – This is identical to the Third-Party Assessment but for Reporting is designed to be used specifically with Access Questions.
  • Fork Example – BeyData Librarian provides a visual overview that has a workflow management process that combines Risk Profiles, Data Catalogs, Assessments, and Reporting to provide a unified risk management system.  The Fork example shows how an assessment can fork off or branch off and then return later for a join and completion. It is a powerful feature so it was included in the default assessments as an example only.

Please remember these are simply examples and they can be used by you as working assessments or examples of the assessments.  Also remember you can modify these assessments.  We recommend that you export an assessment and then re-import it into the system as a new assessment definition and change the new assessment definition.

Remember these assessment definitions are just that. It is not until you run a new instance of an assessment that an assessment is created.

It is also important to remember that you can create risk templates for an assessment and this will allow you to define default risk for any question, answer, or branch depending on assessment answers.  If you have further questions refer the manual, or context sensitive help.

Below is a Visual Representation of the Assessments and their Flow

Figure 1 – DPIA Module

Figure 2 – System ID

Figure 3 – Consent

Figure 4- Data Sovereignty

Figure 5 – Third Party

Figure 6 – Data Access and Sharing

Figure 7 – Maintenance and Retention

Figure 8 – Business Processes