Re: security. Bringing up SAS70 requirements once again.

[David Clift <David.Clift () UTAH EDU>]

The preference is that there is a Type II SAS 70 or SSAE 16 (replaces SAS 70 for periods ending after June 15, 2011), 
or SOC 2 or SOC 3 report. However, as you've found, there are a lot of useful services that don't have any third-party 
assessment. For those, we look at them individually and try to evaluate the risk vs. the benefit and try to do some 
alternative procedures to give some additional comfort on the security of the solution.

At a minimum, they are going to have to sign a Business Associate Agreement and agree to follow HIPAA/HITECH and we are 
going to ask them to complete a control questionnaire covering between 70 and 120 controls. Of course they could 
stretch things when they answer the control questionnaire, but we put in the contract a right-to-audit clause so that 
hopefully they will be less likely to state that they have controls that don't really exist. We have not yet attempted 
to exercise the right to audit because we've been too busy internally, but I hope to be able to do that in the future.

We have not used an external auditor to do an assessment of a service provider - too expensive.

I would also be interested to hear what others do.

Thanks,
David Clift
Information Security & Privacy Office
University of Utah


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Grisham
Sent: Sunday, December 11, 2011 12:29 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] security. Bringing up SAS70 requirements once again.

Back in 2009 Daniel Sarazen University of Massachusetts asked the group about requiring SAS70's or third-party 
assessments of both large and small contracts/companies. Unfortunately, only one person responded to the question about 
"should an entity require SAS70 or equivalent for large contracts as well as small ones in the $300 range". Once again 
the question has come up across the security groups here at UNM-HSC.

I am curious what other academic health centers positions are in regard to requiring "third-party analysis of controls" 
when outsourcing ePHI or PII. Given the risk of breach costs (reputational, notification, potential fines, etc.) IMHO 
the risks are too high to not require an independent assessment no matter the size of the contract. 
There are beneficial smaller services that our researchers and physicians find by companies that cannot afford SAS70 
audits. So, for those smaller contracts with smaller companies does anyone have an alternative assessment process?
-- Do you have an external auditor that you are willing to pay to do an assessment?
-- Do you have internal resources allocated to assess the smaller companies?
-- Other options or processes?

I will forward a summary to the Listserv of any responses I received. Thank you in advance and have happy holiday 
season.

Cheers --grish
David D. Grisham
David Grisham, Ph.D.,  CISM, CRISC
Manager, IT Security,
UNM Hospitals, IT Division
Suite 3131
933 Bradbury Drive, SE
Albuquerque, New Mexico 87106
Ph: (505) 272-5657 
Department FAX 272-7143, Desk Fax 272-9927
Work email:  dgrisham () salud unm edu
Adjunct Faculty, Computer Science, UNM
Academic & personal email:  dave () unm edu

The unauthorized disclosure or interception of e-mail is a federal crime.  See 18 U.S.C. Sec. 2517(4). This e-mail is 
intended only for the use of those to whom it is addressed and may contain information which is privileged, 
confidential and exempt from disclosure under the law.  If you have received this e-mail in error, do not distribute or 
copy it.  Delete it immediately and attachments, if any,  and notify me by telephone. Please do not forward or 
disseminate the information in this written document.
...