Educause Security Discussion mailing list archives
security. Bringing up SAS70 requirements once again.
From: David Grisham <dgrisham () SALUD UNM EDU>
Date: Sun, 11 Dec 2011 12:28:39 -0700
Back in 2009 Daniel Sarazen University of Massachusetts asked the group about requiring SAS70's or third-party assessments of both large and small contracts/companies. Unfortunately, only one person responded to the question about "should an entity require SAS70 or equivalent for large contracts as well as small ones in the $300 range". Once again the question has come up across the security groups here at UNM-HSC. I am curious what other academic health centers positions are in regard to requiring "third-party analysis of controls" when outsourcing ePHI or PII. Given the risk of breach costs (reputational, notification, potential fines, etc.) IMHO the risks are too high to not require an independent assessment no matter the size of the contract. There are beneficial smaller services that our researchers and physicians find by companies that cannot afford SAS70 audits. So, for those smaller contracts with smaller companies does anyone have an alternative assessment process? -- Do you have an external auditor that you are willing to pay to do an assessment? -- Do you have internal resources allocated to assess the smaller companies? -- Other options or processes? I will forward a summary to the Listserv of any responses I received. Thank you in advance and have happy holiday season. Cheers --grish David D. Grisham David Grisham, Ph.D., CISM, CRISC Manager, IT Security, UNM Hospitals, IT Division Suite 3131 933 Bradbury Drive, SE Albuquerque, New Mexico 87106 Ph: (505) 272-5657 Department FAX 272-7143, Desk Fax 272-9927 Work email: dgrisham () salud unm edu Adjunct Faculty, Computer Science, UNM Academic & personal email: dave () unm edu The unauthorized disclosure or interception of e-mail is a federal crime. See 18 U.S.C. Sec. 2517(4). This e-mail is intended only for the use of those to whom it is addressed and may contain information which is privileged, confidential and exempt from disclosure under the law. If you have received this e-mail in error, do not distribute or copy it. Delete it immediately and attachments, if any, and notify me by telephone. Please do not forward or disseminate the information in this written document. ...
Current thread:
- Secure Password Distribution for Exchange Migration David Treble (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Joel Rosenblatt (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Rich Graves (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Rob Whalen (Dec 09)
- Re: Secure Password Distribution for Exchange Migration David Treble (Dec 09)
- security. Bringing up SAS70 requirements once again. David Grisham (Dec 11)
- Re: security. Bringing up SAS70 requirements once again. Doug Markiewicz - EDUCAUSE (Dec 12)
- Re: security. Bringing up SAS70 requirements once again. Soldi, Miguel (Dec 12)
- Re: security. Bringing up SAS70 requirements once again. David Grisham (Dec 12)
- security. Bringing up SAS70 requirements once again. David Grisham (Dec 11)
- FW: [SECURITY] security. Bringing up SAS70 requirements once again. Sarazen, Daniel (Dec 12)
- Re: security. Bringing up SAS70 requirements once again. David Clift (Dec 12)