Educause Security Discussion mailing list archives
Re: security. Bringing up SAS70 requirements once again.
From: David Clift <David.Clift () UTAH EDU>
Date: Mon, 12 Dec 2011 16:50:50 +0000
The preference is that there is a Type II SAS 70 or SSAE 16 (replaces SAS 70 for periods ending after June 15, 2011), or SOC 2 or SOC 3 report. However, as you've found, there are a lot of useful services that don't have any third-party assessment. For those, we look at them individually and try to evaluate the risk vs. the benefit and try to do some alternative procedures to give some additional comfort on the security of the solution. At a minimum, they are going to have to sign a Business Associate Agreement and agree to follow HIPAA/HITECH and we are going to ask them to complete a control questionnaire covering between 70 and 120 controls. Of course they could stretch things when they answer the control questionnaire, but we put in the contract a right-to-audit clause so that hopefully they will be less likely to state that they have controls that don't really exist. We have not yet attempted to exercise the right to audit because we've been too busy internally, but I hope to be able to do that in the future. We have not used an external auditor to do an assessment of a service provider - too expensive. I would also be interested to hear what others do. Thanks, David Clift Information Security & Privacy Office University of Utah -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Grisham Sent: Sunday, December 11, 2011 12:29 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] security. Bringing up SAS70 requirements once again. Back in 2009 Daniel Sarazen University of Massachusetts asked the group about requiring SAS70's or third-party assessments of both large and small contracts/companies. Unfortunately, only one person responded to the question about "should an entity require SAS70 or equivalent for large contracts as well as small ones in the $300 range". Once again the question has come up across the security groups here at UNM-HSC. I am curious what other academic health centers positions are in regard to requiring "third-party analysis of controls" when outsourcing ePHI or PII. Given the risk of breach costs (reputational, notification, potential fines, etc.) IMHO the risks are too high to not require an independent assessment no matter the size of the contract. There are beneficial smaller services that our researchers and physicians find by companies that cannot afford SAS70 audits. So, for those smaller contracts with smaller companies does anyone have an alternative assessment process? -- Do you have an external auditor that you are willing to pay to do an assessment? -- Do you have internal resources allocated to assess the smaller companies? -- Other options or processes? I will forward a summary to the Listserv of any responses I received. Thank you in advance and have happy holiday season. Cheers --grish David D. Grisham David Grisham, Ph.D., CISM, CRISC Manager, IT Security, UNM Hospitals, IT Division Suite 3131 933 Bradbury Drive, SE Albuquerque, New Mexico 87106 Ph: (505) 272-5657 Department FAX 272-7143, Desk Fax 272-9927 Work email: dgrisham () salud unm edu Adjunct Faculty, Computer Science, UNM Academic & personal email: dave () unm edu The unauthorized disclosure or interception of e-mail is a federal crime. See 18 U.S.C. Sec. 2517(4). This e-mail is intended only for the use of those to whom it is addressed and may contain information which is privileged, confidential and exempt from disclosure under the law. If you have received this e-mail in error, do not distribute or copy it. Delete it immediately and attachments, if any, and notify me by telephone. Please do not forward or disseminate the information in this written document. ...
Current thread:
- Secure Password Distribution for Exchange Migration David Treble (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Joel Rosenblatt (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Rich Graves (Dec 08)
- Re: Secure Password Distribution for Exchange Migration Rob Whalen (Dec 09)
- Re: Secure Password Distribution for Exchange Migration David Treble (Dec 09)
- security. Bringing up SAS70 requirements once again. David Grisham (Dec 11)
- Re: security. Bringing up SAS70 requirements once again. Doug Markiewicz - EDUCAUSE (Dec 12)
- Re: security. Bringing up SAS70 requirements once again. Soldi, Miguel (Dec 12)
- Re: security. Bringing up SAS70 requirements once again. David Grisham (Dec 12)
- security. Bringing up SAS70 requirements once again. David Grisham (Dec 11)
- FW: [SECURITY] security. Bringing up SAS70 requirements once again. Sarazen, Daniel (Dec 12)
- Re: security. Bringing up SAS70 requirements once again. David Clift (Dec 12)