Educause Security Discussion mailing list archives

Re: Risk analysis And Vendor Management

From: Renee Peters <renee () NORTHEAST EDU>
Date: Fri, 18 Jul 2014 18:01:08 +0000

We require a 3rd party security assessment for all external partners that will be accessing our internal systems or 
data.

Renee Peters
Director of Technology Risk & Service Management
Northeast Community College


Renee Peters  Director of Technology Risk & Service Management
402-844-7072 | renee () northeast edu | fax 402-844-7400



NORTHEAST.EDU
801  E. BENJAMIN AVE. |  PO BOX 469  |  NORFOLK, NE 68702
402-371-2020    800-348-9033    FAX 402-844-7400

This email and any files transmitted with it are confidential and solely for the use of the intended recipient(s).  If 
you have received this email in error, please notify the sender immediately by email and delete this email from your 
system.  Please note that any views or opinions presented in this email are solely those of the author and do not 
necessarily represent those of the College.  The recipient should check this email and any attachments for the presence 
of viruses.  The College accepts no liability for any damage caused by any virus transmitted by this email.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Grisham
Sent: Friday, July 18, 2014 12:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Risk analysis And Vendor Management

We require our business Associates and other vendors to supply information on systems, applications, databases, medical 
devices, etc. That way we can do a risk analysis and document controls that are in place by the vendor as well as what 
we need to do to mitigate where controls are ineffective or absent.
But we're getting some internal feedback that this is not a standard practice.
--One of the big issues is HIPAA/HITECH requiring assurances of security controls. I have found Stanford to have an 
excellent policy on vendor management.
-- Is there anybody else out there who requires third-party assessments when confidential/ePHI/PII data is involved? 
Especially if it's outsourced?
To see Stanford's policy "http://web.stanford.edu/group/security/securecomputing/ASP_security.html";
Cheers --grish
David D. Grisham
David Grisham, Ph.D.,  CISM, CRISC
Manager, IT Security,
UNM Hospitals, IT Division
Suite 3131, 933 Bradbury Drive, SE  Albuquerque, New Mexico 87106
Ph: (505) 272-5657
Department FAX 272-7143, Desk Fax 272-9927 Work email:  dgrisham () salud unm edu

Current thread:

Reorganizing for security team Theresa Rowe (Jul 18)
- Re: Reorganizing for security team Nevin, David (Jul 18)
  - Re: Reorganizing for security team Sol Bermann (Jul 18)
    - Re: Reorganizing for security team Matt Morton (Jul 21)
- Risk analysis And Vendor Management David Grisham (Jul 18)
  - Re: Risk analysis And Vendor Management Roger A Safian (Jul 18)
  - Re: Risk analysis And Vendor Management Sol Bermann (Jul 18)
    - Re: Risk analysis And Vendor Management Chuck Kesler (Jul 18)
  - Re: Risk analysis And Vendor Management Renee Peters (Jul 18)
- Re: Risk analysis And Vendor Management Chuck Kesler (Jul 18)