Re: Risk analysis And Vendor Management

[Roger A Safian <r-safian () NORTHWESTERN EDU>]

We do, and it sounds like we have a similar program in place.

http://www.it.northwestern.edu/about/departments/itms/cpo/assessment.html

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Grisham
> Sent: Friday, July 18, 2014 12:33 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Risk analysis And Vendor Management
>
> We require our business Associates and other vendors to supply information
> on systems, applications, databases, medical devices, etc. That way we can
> do a risk analysis and document controls that are in place by the vendor as
> well as what we need to do to mitigate where controls are ineffective or
> absent.
> But we're getting some internal feedback that this is not a standard practice.
> --One of the big issues is HIPAA/HITECH requiring assurances of security
> controls. I have found Stanford to have an excellent policy on vendor
> management.
> -- Is there anybody else out there who requires third-party assessments
> when confidential/ePHI/PII data is involved? Especially if it's outsourced?
> To see Stanford's policy
> "http://web.stanford.edu/group/security/securecomputing/ASP_security.ht
> ml"
> Cheers --grish
> David D. Grisham
> David Grisham, Ph.D.,  CISM, CRISC
> Manager, IT Security,
> UNM Hospitals, IT Division
> Suite 3131, 933 Bradbury Drive, SE  Albuquerque, New Mexico 87106
> Ph: (505) 272-5657
> Department FAX 272-7143, Desk Fax 272-9927 Work email:
> dgrisham () salud unm edu