Re: Risk analysis And Vendor Management

[Chuck Kesler <chuck.kesler () DUKE EDU>]

  <53C905FE02000046000BE9CB () hsc-iagate1 health unm edu>,<CAM9rm4C9dNc3iZ4SPc4mxR2DwU+EBuunhUY_XHbh3DcP-sO_yw () mail 
gmail com>
In-Reply-To: <CAM9rm4C9dNc3iZ4SPc4mxR2DwU+EBuunhUY_XHbh3DcP-sO_yw () mail gmail com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [107.218.26.149]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 02760F0D1C
x-forefront-antispam-report: 
SFV:NSPM;SFS:(189002)(199002)(24454002)(252514010)(377454003)(48214007)(15202345003)(64706001)(19617315012)(88552001)(80022001)(19580395003)(19580405001)(66066001)(81542001)(81342001)(20776003)(31966008)(74662001)(74502001)(83322001)(21056001)(75432001)(77982001)(87936001)(106356001)(85306003)(106116001)(77096002)(89122001)(4396001)(107046002)(107886001)(2351001)(92566001)(92726001)(16236675004)(86362001)(105586002)(54356999)(19627405001)(99286002)(85852003)(46102001)(2656002)(79102001)(2171001)(95666004)(83072002)(76176999)(101416001)(15975445006)(99396002)(50986999)(76482001)(19625215002);DIR:OUT;SFP:;SCL:1;SRVR:BLUPR05MB386;H:BLUPR05MB388.namprd05.prod.outlook.com;FPR:;MLV:sfv;PTR:InfoNoRecords;MX:3;LANG:en;
Content-Type: multipart/alternative;
        boundary="_000_140570893262384870dmdukeedu_"
MIME-Version: 1.0
X-OriginatorOrg: dm.duke.edu
X-DukeOIT-Routed: True
X-Scanned-By: MIMEDefang 2.67 on 152.16.195.68

--_000_140570893262384870dmdukeedu_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

?Likewise, at Duke Medicine we go through a due diligence process to unders=
tand the IT-related risks of doing business with a Business Associate or ot=
her vendor, which then dictates what security controls we document as part =
of a data security agreement exhibit in our contracts. In cases where sensi=
tive data is going to be stored, processed, or transmitted in a material fa=
shion by the vendor, one of those controls is that the vendor is required t=
o have a third party security audit against an accepted industry standard (=
e.g. SSAE-16 SOC 2, ISO 27001/27002, NIST 800-53, HITRUST CSF) conducted on=
 an annual basis. We also reserve the right to have the vendor share the re=
sults of the audit with us, at minimum in the form of an engagement letter =
from the auditor that summarizes their methodology and findings.?


Chuck



________________________________________
Chuck Kesler, MBA, CISSP, CISM, PMP
Chief Information Security Officer
Duke Medicine
Email: chuck.kesler () dm duke edu
Office: 919-668-0518
________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY@LISTSERV.E=
DUCAUSE.EDU> on behalf of Sol Bermann <solb () UMICH EDU>
Sent: Friday, July 18, 2014 1:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Risk analysis And Vendor Management

We require 3rd-party assessments for service providers when sensitive data =
is involved

Sol Bermann
Interim University of Michigan Chief Information Security Officer
Privacy Officer and IT Policy, Compliance and Enterprise Continuity Strateg=
ist
ITS - Information & Infrastructure Assurance
University of Michigan

734/615-9661
solb () umich edu<mailto:solb () umich edu>




On Fri, Jul 18, 2014 at 1:33 PM, David Grisham <Dgrisham () salud unm edu<mail=
to:Dgrisham () salud unm edu>> wrote:
We require our business Associates and other vendors to supply information =
on systems, applications, databases, medical devices, etc. That way we can =
do a risk analysis and document controls that are in place by the vendor as=
 well as what we need to do to mitigate where controls are ineffective or a=
bsent.
But we're getting some internal feedback that this is not a standard practi=
ce.
--One of the big issues is HIPAA/HITECH requiring assurances of security co=
ntrols. I have found Stanford to have an excellent policy on vendor managem=
ent.
-- Is there anybody else out there who requires third-party assessments whe=
n confidential/ePHI/PII data is involved? Especially if it's outsourced?
To see Stanford's policy "http://web.stanford.edu/group/security/securecomp=
uting/ASP_security.html"
Cheers --grish
David D. Grisham
David Grisham, Ph.D.,  CISM, CRISC
Manager, IT Security,
UNM Hospitals, IT Division
Suite 3131, 933 Bradbury Drive, SE  Albuquerque, New Mexico 87106
Ph: (505) 272-5657<tel:%28505%29%20272-5657>
Department FAX 272-7143, Desk Fax 272-9927
Work email:  dgrisham () salud unm edu<mailto:dgrisham () salud unm edu>


--_000_140570893262384870dmdukeedu_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none"><!-- p { margin-top: 0px; m=
argin-bottom: 0px; }--></style>
</head>
<body dir=3D"ltr">
<div id=3D"OWAFontStyleDivID" style=3D"font-size:12pt;color:#333333;backgro=
und-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>&#8203;Likewise,&nbsp;at&nbsp;Duke Medicine&nbsp;we&nbsp;go through a du=
e diligence process&nbsp;to understand the IT-related risks of doing busine=
ss with a Business Associate or other&nbsp;vendor, which then dictates what=
 security controls we document as part of a data security agreement
 exhibit in our contracts. In cases where sensitive data is going to be sto=
red, processed, or transmitted in a material fashion by the vendor, one of =
those controls is that the vendor is required to have&nbsp;a third party se=
curity audit&nbsp;against an accepted industry
 standard (e.g. SSAE-16 SOC 2, ISO 27001/27002, NIST 800-53,&nbsp;HITRUST C=
SF) conducted on an annual basis. We also reserve the right to have the ven=
dor share the results of the audit with us, at minimum in the form of an en=
gagement letter from the auditor that
 summarizes their methodology and findings.&#8203;<br>
</p>
<p><br>
</p>
<p>Chuck<br>
</p>
<div>
<p><br>
</p>
<p><br>
</p>
<div name=3D"divtagdefaultwrapper" style=3D"font-family:Calibri,Arial,Helve=
tica,sans-serif; font-size:; margin:0">
<div>
<div><font color=3D"#999999">________________________________________</font=
> </div>
<div><font color=3D"#999999">Chuck Kesler, MBA, CISSP, CISM, PMP</font></di=
v>
<div><font color=3D"#999999">Chief Information Security Officer</font></div=
>
<div><font color=3D"#999999">Duke Medicine</font></div>
<div><font color=3D"#999999">Email: chuck.kesler () dm duke edu</font></div>
<div><font color=3D"#999999">Office: 919-668-0518</font></div>
</div>
</div>
</div>
<div style=3D"color: rgb(33, 33, 33);">
<hr tabindex=3D"-1" style=3D"display:inline-block; width:98%">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" co=
lor=3D"#000000" style=3D"font-size:11pt"><b>From:</b> The EDUCAUSE Security=
 Constituent Group Listserv &lt;SECURITY () LISTSERV EDUCAUSE EDU&gt; on behal=
f of Sol Bermann &lt;solb () UMICH EDU&gt;<br>
<b>Sent:</b> Friday, July 18, 2014 1:40 PM<br>
<b>To:</b> SECURITY () LISTSERV EDUCAUSE EDU<br>
<b>Subject:</b> Re: [SECURITY] Risk analysis And Vendor Management</font>
<div>&nbsp;</div>
</div>
<div>
<div dir=3D"ltr">We require 3rd-party assessments for service providers whe=
n sensitive data is involved</div>
<div class=3D"gmail_extra"><br clear=3D"all">
<div>
<div dir=3D"ltr">
<div>Sol Bermann</div>
<div>Interim University of Michigan Chief Information Security Officer</div=
>
<div><span style=3D"font-family:arial; font-size:small">Privacy Officer and=
 IT Policy, Compliance and Enterprise Continuity Strategist</span><br>
</div>
<div>ITS - Information &amp; Infrastructure Assurance </div>
<div>University of Michigan </div>
<div>&nbsp;</div>
<div>734/615-9661</div>
<div><a href=3D"mailto:solb () umich edu" target=3D"_blank">solb () umich edu</a>=
</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
</div>
</div>
<br>
<br>
<div class=3D"gmail_quote">On Fri, Jul 18, 2014 at 1:33 PM, David Grisham <=
span dir=3D"ltr">
&lt;<a href=3D"mailto:Dgrisham () salud unm edu" target=3D"_blank">Dgrisham@sa=
lud.unm.edu</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex; border-left:1=
px #ccc solid; padding-left:1ex">
We require our business Associates and other vendors to supply information =
on systems, applications, databases, medical devices, etc. That way we can =
do a risk analysis and document controls that are in place by the vendor as=
 well as what we need to do to mitigate
 where controls are ineffective or absent.<br>
But we're getting some internal feedback that this is not a standard practi=
ce.<br>
--One of the big issues is HIPAA/HITECH requiring assurances of security co=
ntrols. I have found Stanford to have an excellent policy on vendor managem=
ent.<br>
-- Is there anybody else out there who requires third-party assessments whe=
n confidential/ePHI/PII data is involved? Especially if it's outsourced?<br=
>
To see Stanford's policy &quot;<a href=3D"http://web.stanford.edu/group/sec=
urity/securecomputing/ASP_security.html" target=3D"_blank">http://web.stanf=
ord.edu/group/security/securecomputing/ASP_security.html</a>&quot;<br>
Cheers --grish<br>
David D. Grisham<br>
David Grisham, Ph.D., &nbsp;CISM, CRISC<br>
Manager, IT Security,<br>
UNM Hospitals, IT Division<br>
Suite 3131, 933 Bradbury Drive, SE &nbsp;Albuquerque, New Mexico 87106<br>
Ph: <a href=3D"tel:%28505%29%20272-5657" value=3D"&#43;15052725657">(505) 2=
72-5657</a><br>
Department FAX 272-7143, Desk Fax 272-9927<br>
Work email: &nbsp;<a href=3D"mailto:dgrisham () salud unm edu">dgrisham@salud.=
unm.edu</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</body>
</html>

--_000_140570893262384870dmdukeedu_--