Educause Security Discussion mailing list archives
Re: security. Bringing up SAS70 requirements once again.
From: David Grisham <Dgrisham () SALUD UNM EDU>
Date: Mon, 12 Dec 2011 09:36:18 -0700
Thank you Miguel. So far I have about one half-dozen responses. I will summarize back to the group after the responses slowdown. Cheers.-grish David Grisham
"Soldi, Miguel" <MSoldi () UTSYSTEM EDU> 12/12/2011 8:53 AM >>>
Please attached the final report that Doug mentions at the end. ms Miguel Soldi University of Texas System Information Security Compliance Office Phone: 512-499-4217 Email: msoldi () utsystem edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Doug Markiewicz - EDUCAUSE Sent: Monday, December 12, 2011 9:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] security. Bringing up SAS70 requirements once again. No medical center here but thought I'd chime in anyways. :-)
IMHO the risks are too high to not require an independent assessment no matter the size of the contract.
Agreed. When evaluating third-parties we request both a SAS70/SSAE16 Type II audit report as well as the results of an independent security assessment. In my experience, both are needed because SAS70s historically have not addressed security in great detail. We don't always get both and end up having to make some risk decisions regarding how to proceed.
There are beneficial smaller services that our researchers and physicians find by companies that cannot afford SAS70 audits. So, for those smaller contracts with smaller companies does anyone have an alternative assessment process?
Again just speaking from my own experience, a SAS70 can be affordable for a smaller company. We've certainly seen smaller companies that have them. Although in many instances it's actually a SAS70 for a hosting service that the small company is using. Perhaps you're right. I think some companies, particularly in the cloud space, are often just more focused on getting their product to market.
-- Do you have an external auditor that you are willing to pay to do an assessment?
Generally speaking, we would not pay an external auditor to assess a third-party. We would expect the third-party to pay for this. Even when a vendor does perform independent security testing, we often get pushback when trying to get the results. Most vendors seem willing to provide a summary report but summary reports don't go into much detail. Without some detail it's hard to know the scope of testing, etc.
-- Do you have internal resources allocated to assess the smaller companies?
We have internal resources that have performed security testing on third-parties when that third-party hasn't had an independent security review completed. We typically try to reserve the right to do our own security testing as part of the contract process. We get pushback on this though. It's also time consuming work and requires the right kind of expertise. We're fortunate that we have the expertise but I'm sure there are plenty of organizations that do not.
-- Other options or processes?
IMO, a good option it the Shared Assessments Program. If you're not familiar, it's a standard framework for assessing third-party service providers. It has a questionnaire component and hands-on validation component. The questionnaire is meant to be something completed by a vendor once and shared with multiple customers. The hands-on validation component is fairly prescriptive and is something you could have an internal employee do or something you could hire a third-party to do at what I'm guessing would be minimal cost. It was created for the financial industry but has been expanded for healthcare. There is also interest from both sides on making it work for higher education. The HEISC had a working group evaluate the framework. If I can find a link to the final report, I'll send it along. http://www.sharedassessments.org/
Current thread:
- Secure Password Distribution for Exchange Migration David Treble (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Joel Rosenblatt (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Rich Graves (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Rob Whalen (Dec 09)
- Re: Secure Password Distribution for Exchange Migration David Treble (Dec 09)
- security. Bringing up SAS70 requirements once again. David Grisham (Dec 11)
- Re: security. Bringing up SAS70 requirements once again. Doug Markiewicz - EDUCAUSE (Dec 12)
- Re: security. Bringing up SAS70 requirements once again. Soldi, Miguel (Dec 12)
- Re: security. Bringing up SAS70 requirements once again. David Grisham (Dec 12)
- security. Bringing up SAS70 requirements once again. David Grisham (Dec 11)
- FW: [SECURITY] security. Bringing up SAS70 requirements once again. Sarazen, Daniel (Dec 12)
- Re: security. Bringing up SAS70 requirements once again. David Clift (Dec 12)