Educause Security Discussion mailing list archives
Re: Risk analysis And Vendor Management
From: Renee Peters <renee () NORTHEAST EDU>
Date: Fri, 18 Jul 2014 18:01:08 +0000
We require a 3rd party security assessment for all external partners that will be accessing our internal systems or data. Renee Peters Director of Technology Risk & Service Management Northeast Community College Renee Peters Director of Technology Risk & Service Management 402-844-7072 | renee () northeast edu | fax 402-844-7400 NORTHEAST.EDU 801 E. BENJAMIN AVE. | PO BOX 469 | NORFOLK, NE 68702 402-371-2020 800-348-9033 FAX 402-844-7400 This email and any files transmitted with it are confidential and solely for the use of the intended recipient(s). If you have received this email in error, please notify the sender immediately by email and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the College. The recipient should check this email and any attachments for the presence of viruses. The College accepts no liability for any damage caused by any virus transmitted by this email. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Grisham Sent: Friday, July 18, 2014 12:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Risk analysis And Vendor Management We require our business Associates and other vendors to supply information on systems, applications, databases, medical devices, etc. That way we can do a risk analysis and document controls that are in place by the vendor as well as what we need to do to mitigate where controls are ineffective or absent. But we're getting some internal feedback that this is not a standard practice. --One of the big issues is HIPAA/HITECH requiring assurances of security controls. I have found Stanford to have an excellent policy on vendor management. -- Is there anybody else out there who requires third-party assessments when confidential/ePHI/PII data is involved? Especially if it's outsourced? To see Stanford's policy "http://web.stanford.edu/group/security/securecomputing/ASP_security.html" Cheers --grish David D. Grisham David Grisham, Ph.D., CISM, CRISC Manager, IT Security, UNM Hospitals, IT Division Suite 3131, 933 Bradbury Drive, SE Albuquerque, New Mexico 87106 Ph: (505) 272-5657 Department FAX 272-7143, Desk Fax 272-9927 Work email: dgrisham () salud unm edu
Current thread:
- Reorganizing for security team Theresa Rowe (Jul 18)
- Re: Reorganizing for security team Nevin, David (Jul 18)
- Re: Reorganizing for security team Sol Bermann (Jul 18)
- Re: Reorganizing for security team Matt Morton (Jul 21)
- Re: Reorganizing for security team Sol Bermann (Jul 18)
- Risk analysis And Vendor Management David Grisham (Jul 18)
- Re: Risk analysis And Vendor Management Roger A Safian (Jul 18)
- Re: Risk analysis And Vendor Management Sol Bermann (Jul 18)
- Re: Risk analysis And Vendor Management Chuck Kesler (Jul 18)
- Re: Risk analysis And Vendor Management Renee Peters (Jul 18)
- Re: Risk analysis And Vendor Management Chuck Kesler (Jul 18)
- Re: Reorganizing for security team Nevin, David (Jul 18)