Re: security. Bringing up SAS70 requirements once again.

[David Grisham <Dgrisham () SALUD UNM EDU>]

Thank you Miguel. So far I have about one half-dozen responses. I will summarize back to the group after the responses 
slowdown. Cheers.-grish
David Grisham

> > > "Soldi, Miguel" <MSoldi () UTSYSTEM EDU> 12/12/2011 8:53 AM >>>
Please attached the final report that Doug mentions at the end.
ms


Miguel Soldi
University of Texas System Information Security Compliance
Office Phone: 512-499-4217
Email: msoldi () utsystem edu 



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Doug 
Markiewicz - EDUCAUSE
Sent: Monday, December 12, 2011 9:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] security. Bringing up SAS70 requirements once again.

No medical center here but thought I'd chime in anyways. :-)


> IMHO the risks are too high to not require an independent
> assessment no matter the size of the contract.

Agreed. When evaluating third-parties we request both a SAS70/SSAE16 Type II audit report as well as the results of an 
independent security assessment. In my experience, both are needed because SAS70s historically have not addressed 
security in great detail. We don't always get both and end up having to make some risk decisions regarding how to 
proceed.

> There are beneficial smaller services that our researchers and physicians
> find by companies that cannot afford SAS70 audits. So, for those smaller
> contracts with smaller companies does anyone have an alternative
> assessment process?

Again just speaking from my own experience, a SAS70 can be affordable for a smaller company. We've certainly seen 
smaller companies that have them. Although in many instances it's actually a SAS70 for a hosting service that the small 
company is using. Perhaps you're right. I think some companies, particularly in the cloud space, are often just more 
focused on getting their product to market.

> -- Do you have an external auditor that you are willing to pay to do an
> assessment?

Generally speaking, we would not pay an external auditor to assess a third-party. We would expect the third-party to 
pay for this. Even when a vendor does perform independent security testing, we often get pushback when trying to get 
the results. Most vendors seem willing to provide a summary report but summary reports don't go into much detail. 
Without some detail it's hard to know the scope of testing, etc. 

> -- Do you have internal resources allocated to assess the smaller
> companies?

We have internal resources that have performed security testing on third-parties when that third-party hasn't had an 
independent security review completed. We typically try to reserve the right to do our own security testing as part of 
the contract process. We get pushback on this though. It's also time consuming work and requires the right kind of 
expertise. We're fortunate that we have the expertise but I'm sure there are plenty of organizations that do not.

> -- Other options or processes?

IMO, a good option it the Shared Assessments Program. If you're not familiar, it's a standard framework for assessing 
third-party service providers. It has a questionnaire component and hands-on validation component. The questionnaire is 
meant to be something completed by a vendor once and shared with multiple customers. The hands-on validation component 
is fairly prescriptive and is something you could have an internal employee do or something you could hire a 
third-party to do at what I'm guessing would be minimal cost. It was created for the financial industry but has been 
expanded for healthcare. There is also interest from both sides on making it work for higher education. The HEISC had a 
working group evaluate the framework. If I can find a link to the final report, I'll send it along.

http://www.sharedassessments.org/