Educause Security Discussion mailing list archives

Risk analysis And Vendor Management

From: David Grisham <Dgrisham () SALUD UNM EDU>
Date: Fri, 18 Jul 2014 11:33:18 -0600

We require our business Associates and other vendors to supply information on systems, applications, databases, medical 
devices, etc. That way we can do a risk analysis and document controls that are in place by the vendor as well as what 
we need to do to mitigate where controls are ineffective or absent.
But we're getting some internal feedback that this is not a standard practice.
--One of the big issues is HIPAA/HITECH requiring assurances of security controls. I have found Stanford to have an 
excellent policy on vendor management. 
-- Is there anybody else out there who requires third-party assessments when confidential/ePHI/PII data is involved? 
Especially if it's outsourced?
To see Stanford's policy "http://web.stanford.edu/group/security/securecomputing/ASP_security.html";
Cheers --grish
David D. Grisham
David Grisham, Ph.D.,  CISM, CRISC
Manager, IT Security,
UNM Hospitals, IT Division
Suite 3131, 933 Bradbury Drive, SE  Albuquerque, New Mexico 87106
Ph: (505) 272-5657 
Department FAX 272-7143, Desk Fax 272-9927
Work email:  dgrisham () salud unm edu

Current thread:

Reorganizing for security team Theresa Rowe (Jul 18)
- Re: Reorganizing for security team Nevin, David (Jul 18)
  - Re: Reorganizing for security team Sol Bermann (Jul 18)
    - Re: Reorganizing for security team Matt Morton (Jul 21)
- Risk analysis And Vendor Management David Grisham (Jul 18)
  - Re: Risk analysis And Vendor Management Roger A Safian (Jul 18)
  - Re: Risk analysis And Vendor Management Sol Bermann (Jul 18)
    - Re: Risk analysis And Vendor Management Chuck Kesler (Jul 18)
  - Re: Risk analysis And Vendor Management Renee Peters (Jul 18)
- Re: Risk analysis And Vendor Management Chuck Kesler (Jul 18)