A control could be related to GDPR, the EU General Data Protection Regulation. The control ensures that a supplier or third party meets your company’s requirements such that the vendor adheres to GDPR regulations.
One assessment related to GDPR contains specific questions to identify if the supplier or third party sufficiently meets the requirements for "Encryption in Transit", i.e. they can prove personal and sensitive data is encrypted while in transit to the extent required by GDPR.
- A control can have one or many assessments tied to it depending on what your company requires for a control effectiveness review.
Upon review, the control can be deemed effective or ineffective based on your organization’s due diligence.
- SAP Ariba recommends that, before marking a control as ineffective, you should open an issue to attempt to mitigate any concerns so that the control could be marked effective once the issue is closed.