By Christina Pomianek-Smith
The Information Security Governance, Risk, and Compliance (GRC) team, led by Assistant Director, Denise Woodward, handles many types of security-related requests from the WashU community. When researchers need a security review of the tools they’re using for a study, when a department wants to adopt new technology, or when someone requires a specialized solution for their unique security challenge—GRC is here to help. GRC’s central goal is meeting the security needs of the WashU community so that we can continue to advance our mission, exploring the frontiers of knowledge together.
The activities and security needs of the WashU community are incredibly diverse. GRC systematically organizes and documents the security review processes, employing many different forms for different needs. The forms serve two core purposes—to collect the information GRC needs to conduct the security assessment and to provide a detailed record of the security posture of our institution.
Ideally, the security assessment process is like a conversation between GRC and the requestor. Sometimes, the conversation involves multiple parties, such as InfoSec Ally, The Office of Resource Management, the HIPAA Privacy Office, or department IT coordinators, among others. Orchestrating and documenting these conversations can become complicated at a place as busy as WashU. Fortunately, the digital transformation already underway across our institution brings us great new tools to assist in the process. For GRC, the go-to technology for security assessments is the OneTrust platform.
What is OneTrust?
Founded in 2016, OneTrust has quickly become a global leader in security, privacy, and compliance. More than 7,500 organizations currently use OneTrust to manage their “trust transformation” process—building better privacy and security to foster trust in how organizations handle data. At WashU, we all share ethical, professional, and legal obligations to protect data from security threats. OneTrust makes it easier for us to rise to that challenge, even in the context of our rapidly changing digital environment.
What Makes OneTrust Wonderful?
OneTrust eases the intake, organization, and review of security assessment requests. It makes it possible to collaborate with individuals and departments across the university to gather information for the assessment, and it allows the requestor continuous insight into the review process. OneTrust also allows GRC to craft intake forms specific to the needs of the WashU community. Rather than forcing the cutting-edge work of WashU faculty, staff, and students into preexisting review templates intended for a different environment, GRC prepares forms specific to work underway here at WashU.
According to Woodward, “OneTrust has helped us move our risk assessments to the next level.” Since adopting OneTrust, we’ve moved away from receiving assessment requests via a static fillable Word form to a system that allows for comments, questions, and ongoing correspondence between multiple stakeholders throughout the review process. OneTrust has made the review process more effective, informed, and transparent.
Experience OneTrust for Yourself
To learn more about how WashU is using OneTrust, please visit our Forms page. There, you’ll find forms for various types of security assessments, including IRB Security Review forms, Policy Exception forms, and the new IT Procurement Vendor Intake form, among others (please see our recent article about the collaborative relationship between InfoSec and Procurement.
Each form includes a brief description of its purpose and step-by-step guidance for completing it in OneTrust.
GRC plans to continue developing and improving the security assessment process, employing more tools and features offered by the OneTrust platform. Be sure to stay tuned for more exciting developments!