The code block below illustrates how one might use # and // as comments in your logic and calculations.

This value you provided is not a number. Please try again.

This value you provided is not an integer. Please try again.

The value entered is not a valid Vanderbilt Medical Record Number (i.e. 4- to 9-digit number, excluding leading zeros). Please try again.

The value you provided must be within the suggested range

The value you provided is outside the suggested range

This value is admissible, but you may wish to double check it.

The value entered must be a time value in the following format HH:MM within the range 00:00-23:59 (e.g., 04:32 or 23:19).

This field must be a 5 or 9 digit U.S. ZIP Code (like 94043). Please re-enter it now.

This field must be a 10 digit U.S. phone number (like 415 555 1212). Please re-enter it now.

This field must be a valid email address (like joe@user.com). Please re-enter it now.

The value you provided could not be validated because it does not follow the expected format. Please try again.

Required format:

AFJ2zper5vFC7DdB2j3EYx9QCDRXkpeL8k64PJvKXaGLKIR3mvZQXSLt3PSMhJPEzXWoeBQEtTPRzXM4rqu7T7xd4fb4qtGqMD

PI Risk Assessment Request Form

Entry Date

M-D-Y

Is this request for a Study?

* must provide value

Yes

reset

Request Type

Policy Exception

Risk Assessment

reset

Exception Duration

* must provide value

48 Hours

30 Days

60 Days

90 Days

120 Days

180 Days

365 Days

reset

What is It & When is a Full Ad-Hoc Risk Assessment Required?

An Information Security (InfoSec) Ad Hoc Risk Assessment (RA) is required any time a new technology, system, product, service, or device is being considered for implementation or use at Children's. In some cases, introducing significant changes (such as additional functionality or an upgrade) to an existing technology may require an amended RA or a new one.

The RA must be completed prior to signing a contract with a vendor or deploying new technology, unless there is an approved InfoSec Policy Exception allowing for this to occur before the RA is complete. Please reference the 8-23 Information Security Risk Management Policy for more information.

The goal of the RA is to identify and report any security risks associated with the vendor and/or technology and ensure that the implementation of the technology or service meets or exceeds Children's Information Security Policies and Standards (see Policies 8-00 to 8-70).

For more information use this link- Information Security Ad-Hoc Risk Assessment Process

What is a 48 Hour Duration Policy Exception?

Children's has Information Security policies, standards, and procedures (please see Policies 8-00 to 8-70), which must be adhered to in order to maintain the organization's information security maturity level. The Information Security (InfoSec) policy exception process is used to ask for approval for any request that deviates from the policy elements and controls specified in the InfoSec policies and standards.
Similar to the standard policy exception process, the Children's Information Cyber Security Team has developed a process to accommodate a specific set of request types that are only needed for period of less than 48 hours. The intention is to be able to process these requests quickly and accommodate short term, low risk, policy exception request items.

What are the types of 48 Hour Duration Policy Exception requests?

A. Write to file storage site (e.g., EmoryBox.com, Box.com, Dropbox, Google Drive, Sharefile)
B. Access a blocked website
C. Write to encrypted removable media (e.g., USB drive, SD Card, etc.)
D. Device control - allow execution of restricted file types (e.g., .EXE, .BIN, .ZIP files) from removable media
E. Allow execution of remote desktop software for vendor support activities (e.g., Bomgar)

What is an Information Security (InfoSec) Policy Exception?

Children's has IS&T Policies, Standards, and Procedures (please see Policies 8-00 to 8-70) which must be adhered to in order to maintain the organization's InfoSec maturity level. The InfoSec policy exception process is used to ask for approval for any request that deviates from the controls specified in the IS&T Policies and Standards.

The IT GRC Team does not support or deny requests. IT GRC processes policy exception requests and ensures approvals are obtained from the appropriate level of management. The InfoSec Policy Exception Review Committee provides a final decision to support or deny the request.

For more information use this link- Information Security Policy Exception Process

Common Requests that Require an Approved InfoSec Policy Exception Before Proceeding

Implement a System or Application without an InfoSec Ad-Hoc Security Risk Assessment.
Write to Removable Media (e.g., USB Device)
Write to Unencrypted Removable Media (e.g., USB Device)
Access or Execute Compressed (.ZIP) or Executable (.EXE) files from Removable Media (e.g., USB Device)
Access to External Email Services (e.g., Gmail, Hotmail, Yahoo, etc.) from the Children's Network
Local Admin Rights to Children's Workstation(s)Non-Expiring Password for Service Account(s)
Upload Files to a File Sharing Site (e.g., Google Drive, Box, Dropbox)
Create a Vendor Generic User Account (Login ID or EID) for Support Activities
Connect Non-Children's Owned Devices to the Children's Network
System/Application Exclusions to Anti-Virus Scans (Note: this does not include file/folder exclusions which are managed by Cyber Security directly and do not require a policy exception)
System Patch Management Exclusions (e.g., Manual Reboot, Do Not Patch, etc.)
Connect an Outdated System to the Children's Network.

Requestor Name

* must provide value

Requestor Email Address

* must provide value

Requestor Department

* must provide value

Request Phase

PI Name

* must provide value

Study Name

* must provide value

Length of Study

* must provide value

Due Date

* must provide value

M-D-Y

IRB Number

* must provide value

Which IRB reviewed your study submission?

* must provide value

CHOA

Emory

Don't know

reset

RA Request Type

Research

Operational

reset

Is this a funded study?

* must provide value

Yes

reset

Will any PHI be collected using the requested device/software?

Yes

reset

Will any PII be collected using the requested device/software?

Yes

reset

What is the Sensitive or Confidential Data being used ?

* must provide value

Expand

How many Patients will be invovled in this study?

* must provide value

How many Study Staff Users ?

* must provide value

Technology Type

Does this request involve a medical device?

* must provide value

Yes

reset

What is the location of this medical device?

* must provide value

Is this medical device only used for research?

* must provide value

Yes

reset

Is the medical device related to Cardiology?

* must provide value

Yes

reset

Medical Device Status

Who is the Clinical director over ______?

* must provide value

Description of Request

Expand

First Name
Last Name
Phone Number
Email Address

Would you like to include anyone else in the emails regarding this request?

* must provide value

Yes

reset

Number of Additional Emails

* must provide value

Additional Email Address

* must provide value

Additional Email Address

* must provide value

Additional Email Address

* must provide value

Additional Email Address

* must provide value

Additional Email Address

* must provide value

Name of Vendor
Vendor Contact Number
Vendor Email Address
Vendor Information e.g address , website

Security Documentation required for a Risk Asessment

Vendor Documentation

Upload file

Vendor Data Flow Diagram

Protocol

User Guide

IRB Approval Letter

Any legal agreements

Send More Information Email

Yes

reset

Send More Information Email (Again)

Yes

reset

Outstanding Items Needed:
(Will be sent to user in email)

* must provide value

Expand

You have selected an option that triggers this survey to end right now.

To save your responses and end the survey, click the 'End Survey' button below. If you have selected the wrong option by accident and/or wish to return to the survey, click the 'Return and Edit Response' button.

PI Risk Assessment Request Form

What is It & When is a Full Ad-Hoc Risk Assessment Required?

The RA must be completed prior to signing a contract with a vendor or deploying new technology, unless there is an approved InfoSec Policy Exception allowing for this to occur before the RA is complete. Please reference the 8-23 Information Security Risk Management Policy for more information.

The goal of the RA is to identify and report any security risks associated with the vendor and/or technology and ensure that the implementation of the technology or service meets or exceeds Children's Information Security Policies and Standards (see Policies 8-00 to 8-70).

For more information use this link- Information Security Ad-Hoc Risk Assessment Process

What is a 48 Hour Duration Policy Exception?

What are the types of 48 Hour Duration Policy Exception requests?

For more information use this link- Information Security Policy Exception Process

Common Requests that Require an Approved InfoSec Policy Exception Before Proceeding

Implement a System or Application without an InfoSec Ad-Hoc Security Risk Assessment.

Write to Removable Media (e.g., USB Device)

Write to Unencrypted Removable Media (e.g., USB Device)

Access or Execute Compressed (.ZIP) or Executable (.EXE) files from Removable Media (e.g., USB Device)

Access to External Email Services (e.g., Gmail, Hotmail, Yahoo, etc.) from the Children's Network

Local Admin Rights to Children's Workstation(s)Non-Expiring Password for Service Account(s)

Upload Files to a File Sharing Site (e.g., Google Drive, Box, Dropbox)

Create a Vendor Generic User Account (Login ID or EID) for Support Activities

Connect Non-Children's Owned Devices to the Children's Network

System/Application Exclusions to Anti-Virus Scans (Note: this does not include file/folder exclusions which are managed by Cyber Security directly and do not require a policy exception)

System Patch Management Exclusions (e.g., Manual Reboot, Do Not Patch, etc.)

Connect an Outdated System to the Children's Network.

Requestor Information

Study Information

Study Point of Contact Information
If this is a multi-site collaborative please include Host site POC

Vendor Information

Supporting Documentation
Please upload supporting documentation below.

Security Documentation required for a Risk Asessment

Reviewer Information

You have selected an option that triggers this survey to end right now.

PI Risk Assessment Request Form

What is It & When is a Full Ad-Hoc Risk Assessment Required?

The RA must be completed prior to signing a contract with a vendor or deploying new technology, unless there is an approved InfoSec Policy Exception allowing for this to occur before the RA is complete. Please reference the 8-23 Information Security Risk Management Policy for more information.

The goal of the RA is to identify and report any security risks associated with the vendor and/or technology and ensure that the implementation of the technology or service meets or exceeds Children's Information Security Policies and Standards (see Policies 8-00 to 8-70).

For more information use this link- Information Security Ad-Hoc Risk Assessment Process

What is a 48 Hour Duration Policy Exception?

What are the types of 48 Hour Duration Policy Exception requests?

For more information use this link- Information Security Policy Exception Process

Common Requests that Require an Approved InfoSec Policy Exception Before Proceeding

Implement a System or Application without an InfoSec Ad-Hoc Security Risk Assessment.

Write to Removable Media (e.g., USB Device)

Write to Unencrypted Removable Media (e.g., USB Device)

Access or Execute Compressed (.ZIP) or Executable (.EXE) files from Removable Media (e.g., USB Device)

Access to External Email Services (e.g., Gmail, Hotmail, Yahoo, etc.) from the Children's Network

Local Admin Rights to Children's Workstation(s)Non-Expiring Password for Service Account(s)

Upload Files to a File Sharing Site (e.g., Google Drive, Box, Dropbox)

Create a Vendor Generic User Account (Login ID or EID) for Support Activities

Connect Non-Children's Owned Devices to the Children's Network

System/Application Exclusions to Anti-Virus Scans (Note: this does not include file/folder exclusions which are managed by Cyber Security directly and do not require a policy exception)

System Patch Management Exclusions (e.g., Manual Reboot, Do Not Patch, etc.)

Connect an Outdated System to the Children's Network.

Requestor Information

Study Information

Study Point of Contact InformationIf this is a multi-site collaborative please include Host site POC

Vendor Information

Supporting Documentation Please upload supporting documentation below.

Security Documentation required for a Risk Asessment

Reviewer Information

You have selected an option that triggers this survey to end right now.

Study Point of Contact Information
If this is a multi-site collaborative please include Host site POC

Supporting Documentation
Please upload supporting documentation below.