As a solution for IT risks, it is a very good product. I think it's structured in a way that makes it good to track IT-specific risks and controls.

The workflow approval process is valuable.

One of the valuable features of this solution is it has the ability to review fourth and fifth parties to the nth degree. 

What this means is, a vendor that is going to engage with us is called a third party. However, sometimes these vendors have their own vendors. The first example, this solution is a third party to us, but this solution uses Azure as their backend database, this is the fourth party to us. I am fine with this because I know Azure is doing its best due diligence with security best practices.

The comparative example, this solution wanted to start using an unknown company, such as Mike and Bob's server farm in Bob's garage as a vendor. I do not know who Mike and Bob are, if they had followed security best practices, do they close that garage door at the end of the night, or do they leave it wide open. All of our data could be sitting on those servers in that garage exposed. I would want to review that fourth party.

As vendors, as our internal customers are bringing these vendors on board with us, they go through this committee. I look at the third party level and question if they have any significant fourth parties. I do not really care about all the small little vendors, such as the person that mows their lawn outside of their office building. However, I do care about a significant fourth party, for example, someone that may be hosting our data on behalf of this third party. This solution allows me to go deep into that information, where other third party risk management platforms that we have reviewed are not able to do. They typically only do the third party level and not the fourth.

The biggest plus for us is that everything we need for our Privacy Program is in one single tool. There is no switching between different applications, or merging data from different tools, needed to generate our reports. It is a single platform with everything we need.

OneTrust is also very easy and intuitive to use. The Vendorpedia library is very useful when adding new vendors, as it contains information about the Privacy Shield status and other risk framework certificates. OneTrust offers to assess vendors on behalf of the customer, which offloads the follow-up work with vendors on assessments.