Purpose
The OneTrust platform centralizes the cybersecurity risk assessment process for clinical applications and research studies. This procedure provides step-by-step instructions on how to request a Third-Party Risk Assessment and track its process using the OneTrust risk management platform.
The intended users are anyone who has a business or research case to request for a risk assessment or wishes to view vendor assessment status in OneTrust.
Researchers selecting new IT Software, new interfaces, use of medical or mobile device, and transmission of direct identifiers on their Ancillary Review Forms will trigger the Cybersecurity assessment process to begin.
Office
Cybersecurity Risk Assessment Office
Access
Step 1. Requesting an Assessment
- Click on the Cybersecurity Assessment desktop launcher
If you do not have the App Launcher, you may use this link: https://mountsinai.my.onetrust.com/welcome. - Enter your primary Mount Sinai email login and password to access the system.
- Select and complete the Global Intake Assessment on the Self-Service Portal landing page.
- The assessment name should contain both the Vendor Name (e.g. Medidata) and their Product or Service (e.g. Rave), Medidata Rave.
- Search and select the Primary (Vendor) Record that appears in the drop-down. If the Vendor is new, click on Add Option
- Answer all questions in the online form with an asterisk (*).
- Select the comment icon under any question if you need to communicate to the Reviewer about a particular question.
- You may add document attachments by using the icon.
- When completed, click on Submit on the lower right of the form.
- You can Save the form if not finished, and return later to complete the questions.
Step 2. Tracking Requests
- Click on the menu icon located in the upper left corner of the page and select Vendor Risk Management.
- Under Inventory, select Vendors to access the Risk Assessment Status Report view.
- The stage will indicate what part of the assessment process is underway for the Vendor.
- Under Assessments, view the list of assessments you’ve created and their status in the system.
Support
Risk Assessment Workflow Questions
Email CyberRiskAssessment@mountsinai.org with a summary of the issue or any questions related to the Risk Assessment Workflow. If you happen to email us using the previous email address, it will be re-directed to CyberRiskAssessment@mountsinai.org.
Office Hours
Every Wednesday 11:30am – 12:00pm
Zoom Link: https://mountsinai.zoom.us/j/4455725852
Office hours are held every Wednesday where a Cybersecurity Risk representative will be available to answer any questions related to the TPRM process.
System Link
Login- Single Sign On (SSO) has been enabled for OneTrust.
If you are unable to login, confirm that you are using your primary email login and password, or that your account is not locked.
For any questions on login ID contact the Helpdesk.
Research Risk Assessment Workflow
- Ruth Link (applicable to human subject research only)
- Ancillary Review for Cybersecurity – Information Security, is triggered in RUTH and a link to the OneTrust system is provided.
- Cyber Risk Team receives RUTH system email alert for Ancillary Office review.
- Pending Intake Submission
- An intake assessment has been opened for the Vendor and is being filled out.
- Intake Form Under Review
- The intake assessment has been submitted and is being reviewed by the Cyber Risk Team
- Inherent Risks identified.
- Vendor Questionnaire in Progress
- A risk questionnaire assessment has been sent to the Vendor contact to be completed.
- Vendor Questionnaire Under Review
- The risk questionnaire assessment has been submitted and is being reviewed by the Cyber Risk Team
- Residual Risks identified.
- Quality Assurance Review
- The Cyber Risk Team reviews all reported Risks and identifies those that require correction.
- Draft Reporting
- The Cyber Risk Team will create and send out the Risk Report and POA&M to the Business Sponsor and Intake Requestor.
- Risk Report- Summary of the Project request, the Risk assessment conclusion, and list of risks identified.
- POA&M- Plan of Action and Milestones; risks identified as needing to be remedied along with a suggested treatment plan.
- Cancelled
- Only used if the Business Sponsor or Requestor cancels the project.
- Hold
- Only used if the Intake Assessment Respondent or Vendor Assessment Respondent is unresponsive for 2 or more weeks.
- Accepted
- All assessments and reports are completed. The Cyber Risk Team concludes their process.
- Update RUTH
- Cyber Risk Team states the overall Security Risk Conclusion, attaches the Security Risk Report, and accepts the Study in RUTH.
- Closed
- When the project has concluded and the Vendor is no longer working with Mount Sinai.
Reference Guides
- OneTrust User Guides – Click on the download icon on the top-right corner of the file to view the document.
- In PEAK, search for ‘Cybersecurity’ to find training on the OneTrust system and Intake Questionnaire.
- Disclosing Mount Sinai Data to External Parties Frequently Asked Questions
Definitions
- Intake Assessment – request form with project details that will be submitted to the Analyst for review and establish the inherent risks.
- Vendor Questionnaire – cybersecurity risk questionnaire sent to Vendor, to be completed within 10 business days. Delay in vendor’s response time will impact report completion time. Responses from vendors are used to calculate residual risks.
- Risk Report – the Cybersecurity Risk Team’s risk provide risk report including the overall risk score and a Plan of Action and Milestones (POA&M), when appropriate, to facilitate risk remediation effort for the vendor’s product or services.