Re: Risk analysis And Vendor Management

[Sol Bermann <solb () UMICH EDU>]

We require 3rd-party assessments for service providers when sensitive data
is involved

Sol Bermann
Interim University of Michigan Chief Information Security Officer
Privacy Officer and IT Policy, Compliance and Enterprise Continuity
Strategist
ITS - Information & Infrastructure Assurance
University of Michigan

734/615-9661
solb () umich edu




On Fri, Jul 18, 2014 at 1:33 PM, David Grisham <Dgrisham () salud unm edu>
wrote:

> We require our business Associates and other vendors to supply information
> on systems, applications, databases, medical devices, etc. That way we can
> do a risk analysis and document controls that are in place by the vendor as
> well as what we need to do to mitigate where controls are ineffective or
> absent.
> But we're getting some internal feedback that this is not a standard
> practice.
> --One of the big issues is HIPAA/HITECH requiring assurances of security
> controls. I have found Stanford to have an excellent policy on vendor
> management.
> -- Is there anybody else out there who requires third-party assessments
> when confidential/ePHI/PII data is involved? Especially if it's outsourced?
> To see Stanford's policy "
> http://web.stanford.edu/group/security/securecomputing/ASP_security.html";
> Cheers --grish
> David D. Grisham
> David Grisham, Ph.D.,  CISM, CRISC
> Manager, IT Security,
> UNM Hospitals, IT Division
> Suite 3131, 933 Bradbury Drive, SE  Albuquerque, New Mexico 87106
> Ph: (505) 272-5657
> Department FAX 272-7143, Desk Fax 272-9927
> Work email:  dgrisham () salud unm edu