data security & privacy risk management

WolfPAC Integrated Risk Management

Data Security & Privacy Risk Management User Guide

Version: 1.1

1-16-2020

Wolf & Company, P.C. i

Copyright © 2020

WolfPAC Integrated Risk Management® is a secure, web-based enterprise risk management solution used by over 170

banks, credit unions, and technology companies to automate the identification of risks, threats, and control gaps.

Developed by financial professionals, WolfPAC® provides tools to review and monitor information technology, privacy,

vendor, and other enterprise-wide risk assessments. Quarterly methodology updates are designed to align with changing

business environments and emerging compliance and examination standards. A robust suite of reports allows

management to analyze their control gaps and benchmark risk profiles against peers. WolfPAC keeps institutions safe and

sound, and maximizes the outcome of strategic objectives.

Copyright

Copyright 2020 © Wolf and Company, P.C.

Confidential and Proprietary Information of Wolf and Company, P.C.

All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including

photocopying, recording, or other electronic or mechanical methods, without prior written permission of Wolf and Company, P. C.

Wolf and Company, P.C.

99 High Street

Boston, MA 02110

Telephone: 617-439-9700

Website: www.wolfandco.com

http://www.wolfandco.com/

Wolf & Company, P.C. ii

Copyright © 2020

Contents

Introduction......................................................................................................................................................................... 1

What is the Data Security & Privacy Risk Management Module? ............................................................................................................... 1

Getting Started .................................................................................................................................................................... 2

Login .................................................................................................................................................................................................................................. 2

Navigate to the Data Security & Privacy Risk Management Module ........................................................................................................ 3

Reviewing the Methodology for the Data Security & Privacy Risk Management Module ................................................................ 4

Help and Support: How to Use KnowledgePAC ................................................................................................................................................ 5

Administrative Tasks ........................................................................................................................................................... 6

Manage Permissions .................................................................................................................................................................................................... 6

Manage Processes ........................................................................................................................................................................................................ 9

Manage Documents .................................................................................................................................................................................................. 11

Add New Document ............................................................................................................................................................................................. 11

Edit Document ........................................................................................................................................................................................................ 13

Delete Document................................................................................................................................................................................................... 13

Edit Assignments ........................................................................................................................................................................................................ 14

Manage Controls ........................................................................................................................................................................................................ 20

Manage Response Options .................................................................................................................................................................................... 22

Entity-Level Risk Assessment ........................................................................................................................................... 23

Document Questionnaire .................................................................................................................................................. 27

Data Security Risk Assessment ......................................................................................................................................... 29

Identity Theft Red Flags Assessment ............................................................................................................................... 35

Privacy Risk Assessment ................................................................................................................................................... 37

Reports ............................................................................................................................................................................... 39

Wolf & Company, P.C. 1

Copyright © 2020

Introduction

Welcome to the Data Security & Privacy Risk Management module user guide. This user guide is designed to provide

documentation for people who will use WolfPAC’s Data Security & Privacy Risk Management Module to manage data

security and privacy risk. This document is designed to be read by any user of the module, as most users will have access

to the features documented here. Administrator features are also documented in this guide.

What is the Data Security & Privacy Risk Management Module?

The Data Security & Privacy Module Risk Management module (DSP) is a component of the WolfPAC Risk Management

suite that allows you to manage data security and privacy risk. Within the module you can create an inventory of all

documents used by your organization that contain non-public personal information (NPPI), assess and mitigate threats,

and perform risk assessments.


Copyright © 2020

Getting Started

This section will show you the basic functionality of how to log in and navigate the WolfPAC system.

Login

To access the Data Security & Privacy Risk Management module, you will need to log into WolfPAC.

1. Navigate to the WolfPAC Login Page

Set your browser to: https://wolfpac.wolfandco.com/application/login/

2. Enter Your Username and Password

The WolfPAC login screen will display. Enter your username and password into the Username and Password fields. Click

the Login button.

3. Authenticate Your Login with Two-Factor Authentication

For more information on this process, please refer to the WolfPAC Account Management User Guide.

https://wolfpac.wolfandco.com/application/login/


Copyright © 2020

Navigate to the Data Security & Privacy Risk Management Module

To access the Data Security & Privacy Risk Management module, you will first need to log into WolfPAC.

From the WolfPAC homepage, click on the Data Security and Privacy Risk icon within the wheel. You may also hover

over the Risk Management menu and select the Data Security and Privacy Risk link to access the module.


Copyright © 2020

Reviewing the Methodology for the Data Security & Privacy Risk Management

Module

Before you get started on the Data Security & Privacy Risk Management module, you should review the methodology

used to calculate risk in this module. The methodology document will step you through important concepts and

calculations for inherent and residual risk values used in this module.

To access this document, click the Assessment Methodology PDF link on the module homepage. The document will

display in PDF format.


Copyright © 2020

Help and Support: How to Use KnowledgePAC

Access to help features and the ability to contact WolfPAC support is available in the KnowledgePAC feature located at the

top right of the WolfPAC home page by clicking Help & Support.

Features available to you in KnowledgePAC:

FAQs: View Frequent and Latest FAQs about WolfPAC features.

Search: Search all FAQs using the search box.

Contact Support: Create a ticket to the WolfPAC Support team.

Request Technology and Vendor: If you use a technology that is not on the technology list, you can request

WolfPAC to add it to the list.

Blog: Links you to the WolfPAC blog where you can read articles relating to WolfPAC and Risk Management.

Webinars: Links you to the WolfPAC Resource Library which contains past recordings, articles and more.

Add to FAQ: Ask a question about WolfPAC.

Request Webinar: Request a webinar on a WolfPAC topic.

User Group Board: Links to WolfPAC user group activities.

Request Product Demo: You can request demos of WolfPAC modules you currently do not license.

Request Due Diligence: Request documents that are helpful when performing due diligence on a vendor such as

a Business Continuity Plan or SOC report.

Request Training: You can request additional training on WolfPAC.

Release Activities: Search release notes for any module.


Copyright © 2020

Administrative Tasks

This section explains some required Administrative activities such as managing documents, setting up Owner and

Reviewer assignments, and managing controls. Unless a user has been designated a WolfPAC Administrator, they will not

be able to perform these activities. For more information on user maintenance, refer to WolfPAC Account Management

User Guide available within the Help & Support menu.

Manage Permissions

WolfPAC allows Administrators to manage the level of access that each user has to the Data Security & Privacy Risk

Management module. Access is divided into the following options: Read, Read & Write, or Report. Any combination of

these permissions may be granted to each user.

Read: The user can access and view the module in read-only mode. They cannot edit anything.

Read & Write: The user can access and make edits/updates/changes to the module (depending on what they

have been specifically assigned to).

Report: The user can access and generate reports for the module.

1. Navigate to User Maintenance

From the WolfPAC homepage, click on the Manage People icon in the center of the wheel. Alternatively, you may hover

over the Administration menu and select Manage Organization > User Maintenance. Both options will redirect to the

User Maintenance screen.


Copyright © 2020

Click on the edit users link beside your organization name.

2. Update Permissions Individually

Locate the desired user in the table and hover over the blue Operation icon. Select the edit link. Then click on the Manage

Permissions tab on the left-hand side of the screen. Use the checkboxes to enable or disable Read, Read & Write, and/or

Report access to each module that your organization has licensed. Be sure to click on the Save button when finished and

note that the new permissions will go into effect on the user’s next login.


Copyright © 2020

3. Update Permissions In Bulk

On the edit users page, use the checkboxes on the left-hand side of the screen to select multiple individuals and edit their

permissions at the same time.

Note: If the first individual selected is an Administrator, you will only be able to select other individuals who are

also Administrators. If the first individual you select is a User, you will only be able to select other individuals who

are also Users. This is due to Administrators and Users having slightly different permissions.

When the desired users have been selected, click on the Set Permissions button above the table. In the popup window

that appears, use the checkboxes to enable/disable the group’s ability to Read, Read & Write, or view Reports for each of

the available modules.


Copyright © 2020

Manage Processes

1. Navigate to Manage Processes

From the Data Security & Privacy Risk Management homepage, click on the Manage Processes icon. A link to Manage

Processes is also accessible on the WolfPAC homepage.

2. Review the Products/Services, Business Processes, and Business Functions

Ensure that the listing is an accurate representation of the products/services, business processes and business functions

offered or performed at your institution. The Active Products and Services radio button will display all of the items

selected for your institution, whereas the All Products and Services radio button will show WolfPAC’s global library of

functions. Use the checkboxes to select or de-select a particular item.


Copyright © 2020

3. Link Items to Business Processes

Click on the name of a business process and select the Edit link. On the right side of the screen, expand the Link

Documents section and click on the Link Documents button to link relevant documents to that process.

Repeat the same step for Technologies, Third Parties, and Regulations and link the appropriate items that support each

business process.

When linking items to a process, you must use the Business Functions dropdown to select the specific functions within

that process that utilize the selected object.

You may also link items to business functions, and that linkage will roll up to the business process level as well.


Copyright © 2020

Manage Documents

You must create an inventory of documents used at your organization. Follow the steps below to do so.

Add New Document

1. Navigate to Manage Documents

From the Data Security & Privacy Risk Management homepage, click on the Manage Documents icon.

At the top of the Manage Documents screen, click on the Add New Document button.


Copyright © 2020

2. Enter Document Details

On the next screen, enter information about the document. Note that the Name, Type, Category, and Classification are all

required fields.

3. Save Document

When finished entering the details of the document, click on the Save button to save and remain on the current page, or

click Save Changes & Return to save and return to the document inventory.


Copyright © 2020

Edit Document From the Manage Documents screen, locate the desired document in the table. Hover over the blue Operation icon beside

the document and select the Edit link.

Edit the desired information for the selected document.

When finished, click on the Save button to save and remain on the current page, or click Save Changes & Return to save

and return to the document inventory.

You may also update the document’s Type, Category, Classification, Description, and Content directly from the Manage

Documents screen. Simply click on any field to edit it.

Delete Document From the Manage Documents screen, locate the desired document in the table. Hover over the blue Operation icon beside

the document and select the Delete link.


Copyright © 2020

Edit Assignments

Administrators must assign an Owner and Reviewer to each risk assessment within the Data Security & Privacy Risk

Management module. The Owner is responsible to complete their assigned assessments, and the Reviewer is responsible

for reviewing the Owner’s work. Owner and Reviewers are assigned on the Edit Assignments screen. Note that if the

Owner or Reviewer is assigned to the (Anyone) option, then all users within your organization will be able to access that

risk assessment.

1. Navigate to Edit Assignments

From the Data Security & Privacy Risk Management homepage, click on the Edit Assignments icon (outlined in red

below). Note that only Administrators have access to this functionality.

2. Entity-Level Risk Assessment Assignments

Use the Owner and Reviewer dropdown menus on the Entity-Level Risk Assessment tab to assign an Owner and

Reviewer for the Entity-Level Risk Assessment.


Copyright © 2020

3. Data Security Risk Assessment Assignments

Click on the Data Security Risk tab to edit the assignments for the Data Security Risk Assessment. Click on a name in the

Owner or Reviewer column to bring up the dropdown menu where a new Owner or Reviewer may be assigned. Your

changes will be saved automatically.

To assign Owners and Reviewers to multiple business processes at once, select the Multiple Assignment radio button.

This will bring up two additional dropdown menus to select an Owner and Reviewer from. Select the Owner checkbox if

updating the Owner in bulk, and select the Reviewer checkbox if updating the Reviewer in bulk. Then use the checkboxes

in the table to indicate where to apply the new Owner and/or Reviewer. Click on the Save button to apply your changes.


Copyright © 2020

To reassign all of the assessments from one Owner/Reviewer to another, click on the Reassignment radio button. Use the

checkboxes to indicate whether you want to reassign the Owner, Reviewer, or both. Then select a current Owner/Reviewer

along with a new Owner/Reviewer. Click on the Save button to complete the reassignment.


Copyright © 2020

4. Document Questionnaire Assignments

Click on the Documents tab to edit the assignments for the Document Questionnaire. . Click on a name in the Owner or

Reviewer column to bring up the dropdown menu where a new Owner or Reviewer may be assigned. Your changes will be

saved automatically.


Copyright © 2020

To assign Owners and Reviewers to multiple documents at once, select the Multiple Assignment radio button. This will

bring up two additional dropdown menus to select an Owner and Reviewer from. Select the Owner checkbox if updating

the Owner in bulk, and select the Reviewer checkbox if updating the Reviewer in bulk. Then use the checkboxes in the

table to indicate where to apply the new Owner and/or Reviewer. Click on the Save button to apply your changes.


Copyright © 2020

To reassign all of the documents from one Owner/Reviewer to another, click on the Reassignment radio button. Use the

checkboxes to indicate whether you want to reassign the Owner, Reviewer, or both. Then select a current Owner/Reviewer

along with a new Owner/Reviewer. Click on the Save button to complete the reassignment.


Copyright © 2020

Manage Controls

From the Data Security & Privacy Risk Management homepage, click on the Manage Controls icon. A list of data security

and privacy controls will display.

1. Classify Controls

Review each control and click within the Classify column to bring up the dropdown menu. Use this dropdown menu to

indicate whether the control is a Process Control or an Entity Level Control, which are defined below. You may also opt

to Hide a control.

- Process Control: Default setting for all controls. When this option is selected, the control will display on the

Control Selection page of the Entity-Level and Data Security risk assessments whenever an applicable threat is

identified. The control will be unchecked on all Control Selection pages and can be checked off on an individual

basis within the risk assessments. You may also opt to apply a Process Control to specific business processes by

selecting them from the dropdown menu in the Select Processes column.

- Entity Level Control: Selecting the Entity Level Control option will cause that control to be automatically checked

off within the Entity-Level and Data Security risk assessments. It will be displayed with the label ENTITY on all

Control Selection pages. Use this option to indicate that the control is implemented throughout the organization

with no exceptions.

- Hide: Hides the control from all risk assessments including the Entity-Level Risk Assessment and Data Security

Risk Assessment. Use this option to hide all controls that do not apply to the organization or will never be

implemented in the future.


Copyright © 2020

2. Update Control Descriptions

WolfPAC has provided user-friendly descriptions for each control. To update a control’s description, click directly on the

description text and it will change to a textbox which can be edited. Click on the blue checkmark icon to save your

changes.

You may also use the links below each description to modify it. Select the NIST link to use the NIST description for that

control (if available). Select the Custom link to enter a custom description of your choosing.

3. Export Controls

Click on the Export button at the top of the screen to generate an Excel version of the control listing.

4. Import Controls

To update control classifications or descriptions in bulk, the Import feature can be used. Click on the Import button at the

top of the screen, and then click on the Download button to generate a copy of the import template. It will pull a current

listing of the controls and their classification.

To update the classification of a control, use the Classify Control column in the spreadsheet. Enter the phrase Entity

Level Control or Process Control into this column update the control classification on the next import.

To customize the description of a control, enter the desired description into the Custom Description column.

Please note that the Classify Control and Control Description columns are the only columns that can be modified for the

import. All other columns should not be modified in any way,

When the spreadsheet is ready to be imported, click on the Browse button to locate it from your local PC. Then click on

the Upload button to complete the import.


Copyright © 2020

Manage Response Options

Administrators have the ability to customize the response options for the following question in the Data Security Risk

Assessment Questionnaire. To do so, click on the Data Security Risk Assessment icon on the module homepage. Then

click on the Manage Response Options button at the top of the page. Click into the Custom Responses column to

update the each response option. Click on the blue checkmark button to save your changes.

Question Default Response Options

What is the typical volume

of documents received per

year?

Less than 1000

Between 1001 - 10000

Between 10001 - 25000

Between 25001 - 50000

Greater than 50000


Copyright © 2020

Entity-Level Risk Assessment

1. Navigate to the Entity-Level Risk Assessment

From the Data Security & Privacy Risk Management homepage, click on the Entity-Level Risk Assessment icon.

2. Threat Assessment

For each threat, indicate the likelihood that the threat will occur and the impact to the organization if it does. Click within

the Likelihood column next to each threat to bring up the dropdown menu where you may select the appropriate

likelihood rating.

Next, click within the Impact column next to each threat to bring up the dropdown menu where an impact rating may be

selected. Once a Likelihood and Impact are selected, the Calculated Inherent Risk column will automatically calculate and

display the Inherent Risk for each threat. This value cannot be overridden.


Copyright © 2020

3. Control Selection

Once the Threat Assessment is complete, click on the Control Selection tab to proceed to the next step. In this section

you will select the controls you have in place in your organization to mitigate the entity-level threats. The controls

displayed on this page are based on the threats identified in the Threat Assessment step. For each control that you have in

place in your organization, click the checkbox in the Select Control column.

Controls that have been classified as Entity Level on the Manage Controls page will display with the word ENTITY instead

of a checkbox and there is no additional action required for these controls. They have been pre-selected.

There is filtering available to help you with control selection. The Filter By Category dropdown allows you to filter by

control category. The control categories are pre-defined for each control. The Filter By Selection dropdown allows you to

see the controls you have already selected or not selected. The Filter By Threat dropdown allows you to filter all controls

by threat.

If you do not have a control in place and wish to create a remediation item, click on the Create New link in the Control

Remediation column.

Use Link Additional Controls to link other controls available in WolfPAC.


Copyright © 2020

4. Control Assessment

Once the Control Selection step is complete, click on the Control Assessment tab to proceed to the next step. In this

section you will perform a control assessment to rate your control environment. The Control Environment Rating

represents the strength of the controls in your environment that mitigate potential threats. This will be used to calculate

the Residual Risk for each threat.

Click on the arrow to the right of each threat to expand it. A table of controls that have been implemented to mitigate that

threat will display. This is the same list of controls that were selected on the Control Selection step.

You may view the number of controls that have not been implemented for each threat next to the Controls Not

Implemented label. To view these controls, click on the Show Controls button. Use the checkboxes to quickly indicate if a

control has actually been implemented (without having to navigate back to the Control Selection step).

Rate the control environment rating by selecting a value from the Control Environment Rating dropdown menu. Use the

textbox to the right to enter any comments or justification for selecting a particular Control Environment Rating. Repeat

this process for each threat.

Once you have selected a Control Environment Rating for each threat, click on the Save button to save your changes and

remain on the screen or use the Save And Proceed To Review Results button to move forward to the next step. You may

also click directly on the Review Results tab. You will need to complete the Control Assessment in its entirety before

moving to the next step.


Copyright © 2020

5. Review Results

This page displays the results of the risk assessment.

If you are done with the risk assessment, click on the Save & Submit button. The risk assessment will be saved and the

status will automatically change to Submitted. The assigned Reviewer will receive an email indicating the risk assessment is

available for review. If you are the assigned Reviewer and your review of the risk assessment is complete, click on the Save

& Finish button to automatically change the status to Reviewed. The assigned Owner will receive an email indicating the

risk assessment is now complete.


Copyright © 2020

Document Questionnaire

1. Navigate to the Document Questionnaire

From the Data Security & Privacy Risk Management homepage, click on the Document Questionnaire icon.

Click on the name of a document in blue to access the questionnaire for that document. Note that the Document

Questionnaire may only be performed on documents with a Classification of Regulatory Restricted, and therefore only

Regulatory Restricted documents will appear on this page. You may also update the status by clicking within the Status

column.


Copyright © 2020

2. Complete Questionnaire

Use the dropdown menus in the Response column to answer each question in the questionnaire. Depending on how you

answer each question, you may be prompted to answer additional follow-up questions. Continue to select a response for

each question until there are none left to answer. The percentage meter at the top of the page will display 100% once you

have answered all questions.

3. Add Comments

Use the Comments box located to the right of each question to provide any additional information to the Reviewer.

4. Save Changes and Update Status

When the Document Questionnaire is 100% complete, click on the Save button to save your changes. If you are the

Owner, remember to update the Status field at the top of the page to Submitted to trigger an email to the Reviewer to let

them know the questionnaire is ready for their review. If you are the Reviewer, update the Status field to Reviewed to

notify the assigned Owner that the questionnaire has been fully completed and reviewed.


Copyright © 2020

Data Security Risk Assessment

1. Navigate to the Data Security Risk Assessment

From the Data Security & Privacy Risk Management homepage, click on the Data Security Risk Assessment icon.

Click on the name of a Business Process in blue to access the Data Security Risk Assessment for that process. You may also

update the status of a risk assessment by clicking within the Status column.


Copyright © 2020

2. Questionnaire

If you wish to opt out of completing a risk assessment on a particular business process altogether, select the Opt Out Of

Risk Assessment checkbox at the top of the page and remember to update the status. No future action is required.

Otherwise, to continue with the risk assessment process, proceed with the instructions below.

Use the dropdown menus in the Response column to answer each question in the questionnaire. Depending on how you

answer each question, you may be prompted to answer additional follow-up questions. Continue to select a response for

each question until there are none left to answer. The percentage meter at the top of the page will display 100% once you

have answered all questions.

Use the Comments box located to the right of each question to provide any additional information to the Reviewer.

Click on the Save button to save your answers and remain on the screen or use the Save And Proceed to Threat

Assessment button to move forward to the next step. You will need to complete the questionnaire in its entirety before

moving to the next step. You may also click directly on the Threat Assessment tab to proceed.


Copyright © 2020

3. Threat Assessment

In this step you will assess the likelihood of a given threat occurring for the business process. Based on how you have

answered the questions in the Questionnaire step, WolfPAC will determine which threats may be applicable to the

business process.

Review each threat and use the Likelihood Rating dropdown menu to select the Likelihood of the threat occurring,

assuming that there are no controls in place in your organization. If a threat is not applicable to your organization, use the

Not Applicable option. Use the Comments field to enter any additional information as needed.

Click on the Likelihood Definitions link to help you determine which Likelihood rating to choose.

WolfPAC will automatically calculate the Impact Ratings (Confidentiality, Integrity, and Availability) based on how the

Questionnaire was answered. Review these values and ensure that you agree with all three. You may override the

calculated Impact Ratings by selecting the Override checkbox and selecting a new value from the dropdown menu. You

will be required to enter a reason for overriding the impact in the Comments box.

Once you have completed both the Likelihood Assessment and the Impact Assessment, the calculated Overall Inherent

Risk will appear at the bottom of the page. If you have licensed the Information Technology module (4.0) and/or Third

Party Risk Management module (4.0), then the Technology Inherent Risk and Third Party Inherent Risk will also be factored

in the Overall Inherent Risk calculation for on any technologies or third parties selected in the Questionnaire.

Click on the Save button to save your changes and remain on the screen or use the Save And Proceed To Control

Selection button to move forward to the next step. You will need to complete the Threat Assessment in its entirety before



Copyright © 2020

4. Control Selection

In this step, you will select the controls you have in place in your organization to mitigate the threats against the business

process. The controls that display on this page are based on the threats identified for the business process. Review the

Associated Threats column to see which threat(s) each control mitigates.

For each control that you have in place in your organization, select the checkbox in the Select Control column. Controls

that have been classified as Entity Level on the Manage Controls page will display with the word ENTITY instead of a

checkbox and there is no additional action required for these controls. They have been pre-selected.

There are filters available to help you with the control selection process. The Filter By Category dropdown allows you to

filter by control category. The control categories are pre-defined for each control. The Filter By Selection dropdown

allows you to see the controls you have already selected or not selected. The Filter By Threat dropdown is a good way to

evaluate all controls by threat.

If you wish to customize any of the control descriptions, you may do so using the textbox in the Control Description

column. WolfPAC has provided user-friendly descriptions for each control. However, you can change the control

description at the individual risk assessment level. To revert back to the default description, select the WOLFPAC option

from the Use Alternate Description section. The word [selected] will display next to the description type selected for the

control.

If you do not have a control in place or have a control weakness and wish to create a remediation item for it, click on the

Create New link in the Control Remediation column.

Use Link Additional Controls link at the top of the page to link any other controls that your organization has in place.


Copyright © 2020

There is no need to save your work. As you check off each control, the information will be saved automatically. Click on the

Proceed To Control Assessment button to move forward to the next step of the process. You may also click directly on

the Control Assessment tab.

5. Control Assessment

In this section you will assess the strength of the controls you have in place by identifying a Control Environment Rating

for each threat. This rating represents the strength of the controls that mitigate potential threats against the business

process.

Click on the arrow to the right of each threat. A table of controls that have been implemented to mitigate that threat will

display. This is the same list of controls that were selected on the Control Selection step.

You may view the number of controls that have not been implemented for each threat next to the Controls Not

Implemented label. To view these controls, click on the Show Controls button. Use the checkboxes to quickly indicate if a

control has actually been implemented (without having to navigate back to the Control Selection step).

Rate the control environment rating by selecting a value on the Control Environment Rating dropdown menu. Use the

textbox to the right to enter any comments or justification for selecting a particular Control Environment Rating. Repeat

this process for each threat.

If you do not have a control in place or have a control weakness and wish to create a remediation item for it, click on the

Create New link in the Control Remediation column.

Once you have selected a Control Environment Rating for each threat, click on the Save button to save your changes and

remain on the screen or use the Save And Proceed To Review Results button to move forward to the next step. You may

also click directly on the Review Results tab. You will need to complete the Control Assessment in its entirety before



Copyright © 2020

6. Review Results

This page displays the results of the risk assessment. The top of the page will indicate the Overall Inherent Risk, Control

Environment Rating, and Residual Risk that has been determined for the risk area of the business process.

Scroll down to the table to view a summary of each threat and their risk ratings. Click on the plus (+) sign before each

threat to expand the controls implemented for that threat.

If you are the assigned Owner and have completed the assessment, click on the Save & Submit button. The risk

assessment will be saved and the status will automatically change to Submitted. The assigned Reviewer will receive an

email indicating the risk assessment is available for review.

If you are the assigned Reviewer and accept the results of the risk assessment, click on the Accept Risk Assessment

Results button to automatically change the status to Reviewed. This will also send an automatic email to the Owner

indicating that the risk assessment is now complete. If you do not agree with the risk assessment results, click on the

Reject Risk Assessment Results button. This will change the status of the assessment back to In Progress and will trigger

an email to the assigned Owner. You must enter an Assessment Conclusion Comment.


Copyright © 2020

Identity Theft Red Flags Assessment

1. Navigate to the Identity Theft Red Flags Assessment

From the Data Security & Privacy Risk Management homepage, click on the Identity Theft Red Flags icon.

2. Manage Covered Accounts

Then, from the Identity Theft Red Flags Risk Assessment homepage, click Manage Covered Accounts. Select the

checkbox beside all covered accounts that the institution decides to assess. When finished, click on the Save Changes and

Continue to User Assignments button at the bottom of the page.

For each covered account, select an Assigned User who is primarily responsible for completion and upkeep of the

Covered account in WolfPAC an Assigned Reviewer. Enter an Organization-Specific Description for each covered

account. Click Save Changes and Return to Identity Theft Red Flags Homepage when finished.

3. Manage Red Flags Procedures

From the Identity Theft Red Flags Risk Assessment homepage, click Add/Edit Red Flags Procedures.

Click the Add new procedure… link at the top of the screen to add any institution-specific red flags. Enter information

about the procedure, and then click Save Changes and Continue.


Copyright © 2020

4. Assess Identity Theft Red Flags Risk

From the Identity Theft Red Flags Risk Assessment homepage, click Assess Identity Theft Red Flags Risk. For each

covered account, select the questionnaire link. Within the questionnaire, select the questions link beside each section to

view and answer questions.

Select an appropriate response for each question in the Response column, and enter any Comments as needed. When

finished with each section, click on the Save and Continue to Next Category button to proceed. You may also click on

Save and Return to Questionnaire to exit to the previous screen.

When all sections are complete, click on the Save Changes and Continue button to return to the covered account listing.

Remember to update the status of the covered account to either Submitted or Reviewed.


Copyright © 2020

Privacy Risk Assessment

The Privacy Risk Assessment is a shortcut to the Reg P: Gramm-Leach Bliley Act risk assessment in the Regulatory

Compliance module. Note that this is only accessible to those who have licensed WolfPAC’s Regulatory Compliance

module.

1. Navigate to the Privacy Risk Assessment

From the Data Security & Privacy Risk Management homepage, click on the Privacy Risk Assessment icon. You will be

redirected to the risk assessment for Reg P: Gramm-Leach Bliley Act in the Regulatory Compliance module.


Copyright © 2020

2. Complete Assessment

Expand each section by clicking on the gray bar or by clicking on the blue arrow. For each question, select a Response

from the dropdown menu and enter any Comments as needed.

For the Quality of Inherent Risk sections, a Calculated Quantity of Inherent Risk will be determined based on the

responses given. Select an appropriate Management's Assessment of Risk from the dropdown menu in each section. Be

sure to enter a comment if departing from the calculated risk score.

For the Quality of Mitigating Controls sections, respond to each question and then determine the Overall Quality of

Mitigating Controls for that section via the dropdown menu.

When all sections are complete, the Quantity of Inherent Risk, Quality of Mitigating Controls, and Residual Risk will be

calculated at the bottom of the page. To override these scores, select the Use override value checkbox and be sure to

enter a comment.

To save your changes, click on the Save or Save Changes and Return button.