FW: [SECURITY] security. Bringing up SAS70 requirements once again.

["Sarazen, Daniel" <dsarazen () UMASSP EDU>]

-----Original Message-----
From: Sarazen, Daniel 
Sent: Monday, December 12, 2011 7:04 AM
To: 'David Grisham'
Subject: FW: [SECURITY] security. Bringing up SAS70 requirements once again.

Hi David,

What we've started to ask for from vendors is a completed SIGv6.2, from the Shared Assessment program 
www.sharedassessment.org

About 50% of the vendors have the assessment at the ready. Now, this isn't an audit and we don't know if they are 
lying, but it's a start.

Good Luck!

Dan

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Grisham
Sent: Sunday, December 11, 2011 2:29 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] security. Bringing up SAS70 requirements once again.

Back in 2009 Daniel Sarazen University of Massachusetts asked the group about requiring SAS70's or third-party 
assessments of both large and small contracts/companies. Unfortunately, only one person responded to the question about 
"should an entity require SAS70 or equivalent for large contracts as well as small ones in the $300 range". Once again 
the question has come up across the security groups here at UNM-HSC.

I am curious what other academic health centers positions are in regard to requiring "third-party analysis of controls" 
when outsourcing ePHI or PII. Given the risk of breach costs (reputational, notification, potential fines, etc.) IMHO 
the risks are too high to not require an independent assessment no matter the size of the contract. 
There are beneficial smaller services that our researchers and physicians find by companies that cannot afford SAS70 
audits. So, for those smaller contracts with smaller companies does anyone have an alternative assessment process?
-- Do you have an external auditor that you are willing to pay to do an assessment?
-- Do you have internal resources allocated to assess the smaller companies?
-- Other options or processes?

I will forward a summary to the Listserv of any responses I received. Thank you in advance and have happy holiday 
season.

Cheers --grish
David D. Grisham
David Grisham, Ph.D.,  CISM, CRISC
Manager, IT Security,
UNM Hospitals, IT Division
Suite 3131
933 Bradbury Drive, SE
Albuquerque, New Mexico 87106
Ph: (505) 272-5657
Department FAX 272-7143, Desk Fax 272-9927 Work email:  dgrisham () salud unm edu Adjunct Faculty, Computer Science, 
UNM Academic & personal email:  dave () unm edu

The unauthorized disclosure or interception of e-mail is a federal crime.  See 18 U.S.C. Sec. 2517(4). This e-mail is 
intended only for the use of those to whom it is addressed and may contain information which is privileged, 
confidential and exempt from disclosure under the law.  If you have received this e-mail in error, do not distribute or 
copy it.  Delete it immediately and attachments, if any,  and notify me by telephone. Please do not forward or 
disseminate the information in this written document.
...

Attachment: SIGv6.2.xls
Description: SIGv6.2.xls

Attachment: AUP_5.0.pdf
Description: AUP_5.0.pdf