Educause Security Discussion mailing list archives
Re: Risk analysis And Vendor Management
From: Roger A Safian <r-safian () NORTHWESTERN EDU>
Date: Fri, 18 Jul 2014 17:39:21 +0000
We do, and it sounds like we have a similar program in place. http://www.it.northwestern.edu/about/departments/itms/cpo/assessment.html
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Grisham Sent: Friday, July 18, 2014 12:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Risk analysis And Vendor Management We require our business Associates and other vendors to supply information on systems, applications, databases, medical devices, etc. That way we can do a risk analysis and document controls that are in place by the vendor as well as what we need to do to mitigate where controls are ineffective or absent. But we're getting some internal feedback that this is not a standard practice. --One of the big issues is HIPAA/HITECH requiring assurances of security controls. I have found Stanford to have an excellent policy on vendor management. -- Is there anybody else out there who requires third-party assessments when confidential/ePHI/PII data is involved? Especially if it's outsourced? To see Stanford's policy "http://web.stanford.edu/group/security/securecomputing/ASP_security.ht ml" Cheers --grish David D. Grisham David Grisham, Ph.D., CISM, CRISC Manager, IT Security, UNM Hospitals, IT Division Suite 3131, 933 Bradbury Drive, SE Albuquerque, New Mexico 87106 Ph: (505) 272-5657 Department FAX 272-7143, Desk Fax 272-9927 Work email: dgrisham () salud unm edu
Current thread:
- Reorganizing for security team Theresa Rowe (Jul 18)
- Re: Reorganizing for security team Nevin, David (Jul 18)
- Re: Reorganizing for security team Sol Bermann (Jul 18)
- Re: Reorganizing for security team Matt Morton (Jul 21)
- Re: Reorganizing for security team Sol Bermann (Jul 18)
- Risk analysis And Vendor Management David Grisham (Jul 18)
- Re: Risk analysis And Vendor Management Roger A Safian (Jul 18)
- Re: Risk analysis And Vendor Management Sol Bermann (Jul 18)
- Re: Risk analysis And Vendor Management Chuck Kesler (Jul 18)
- Re: Risk analysis And Vendor Management Renee Peters (Jul 18)
- Re: Risk analysis And Vendor Management Chuck Kesler (Jul 18)
- Re: Reorganizing for security team Nevin, David (Jul 18)