Educause Security Discussion mailing list archives
Re: Risk analysis And Vendor Management
From: Chuck Kesler <chuck.kesler () DUKE EDU>
Date: Fri, 18 Jul 2014 18:42:13 +0000
<53C905FE02000046000BE9CB () hsc-iagate1 health unm edu>,<CAM9rm4C9dNc3iZ4SPc4mxR2DwU+EBuunhUY_XHbh3DcP-sO_yw () mail gmail com> In-Reply-To: <CAM9rm4C9dNc3iZ4SPc4mxR2DwU+EBuunhUY_XHbh3DcP-sO_yw () mail gmail com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [107.218.26.149] x-microsoft-antispam: BCL:0;PCL:0;RULEID: x-forefront-prvs: 02760F0D1C x-forefront-antispam-report: SFV:NSPM;SFS:(189002)(199002)(24454002)(252514010)(377454003)(48214007)(15202345003)(64706001)(19617315012)(88552001)(80022001)(19580395003)(19580405001)(66066001)(81542001)(81342001)(20776003)(31966008)(74662001)(74502001)(83322001)(21056001)(75432001)(77982001)(87936001)(106356001)(85306003)(106116001)(77096002)(89122001)(4396001)(107046002)(107886001)(2351001)(92566001)(92726001)(16236675004)(86362001)(105586002)(54356999)(19627405001)(99286002)(85852003)(46102001)(2656002)(79102001)(2171001)(95666004)(83072002)(76176999)(101416001)(15975445006)(99396002)(50986999)(76482001)(19625215002);DIR:OUT;SFP:;SCL:1;SRVR:BLUPR05MB386;H:BLUPR05MB388.namprd05.prod.outlook.com;FPR:;MLV:sfv;PTR:InfoNoRecords;MX:3;LANG:en; Content-Type: multipart/alternative; boundary="_000_140570893262384870dmdukeedu_" MIME-Version: 1.0 X-OriginatorOrg: dm.duke.edu X-DukeOIT-Routed: True X-Scanned-By: MIMEDefang 2.67 on 152.16.195.68 --_000_140570893262384870dmdukeedu_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ?Likewise, at Duke Medicine we go through a due diligence process to unders= tand the IT-related risks of doing business with a Business Associate or ot= her vendor, which then dictates what security controls we document as part = of a data security agreement exhibit in our contracts. In cases where sensi= tive data is going to be stored, processed, or transmitted in a material fa= shion by the vendor, one of those controls is that the vendor is required t= o have a third party security audit against an accepted industry standard (= e.g. SSAE-16 SOC 2, ISO 27001/27002, NIST 800-53, HITRUST CSF) conducted on= an annual basis. We also reserve the right to have the vendor share the re= sults of the audit with us, at minimum in the form of an engagement letter = from the auditor that summarizes their methodology and findings.? Chuck ________________________________________ Chuck Kesler, MBA, CISSP, CISM, PMP Chief Information Security Officer Duke Medicine Email: chuck.kesler () dm duke edu Office: 919-668-0518 ________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY@LISTSERV.E= DUCAUSE.EDU> on behalf of Sol Bermann <solb () UMICH EDU> Sent: Friday, July 18, 2014 1:40 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Risk analysis And Vendor Management We require 3rd-party assessments for service providers when sensitive data = is involved Sol Bermann Interim University of Michigan Chief Information Security Officer Privacy Officer and IT Policy, Compliance and Enterprise Continuity Strateg= ist ITS - Information & Infrastructure Assurance University of Michigan 734/615-9661 solb () umich edu<mailto:solb () umich edu> On Fri, Jul 18, 2014 at 1:33 PM, David Grisham <Dgrisham () salud unm edu<mail= to:Dgrisham () salud unm edu>> wrote: We require our business Associates and other vendors to supply information = on systems, applications, databases, medical devices, etc. That way we can = do a risk analysis and document controls that are in place by the vendor as= well as what we need to do to mitigate where controls are ineffective or a= bsent. But we're getting some internal feedback that this is not a standard practi= ce. --One of the big issues is HIPAA/HITECH requiring assurances of security co= ntrols. I have found Stanford to have an excellent policy on vendor managem= ent. -- Is there anybody else out there who requires third-party assessments whe= n confidential/ePHI/PII data is involved? Especially if it's outsourced? To see Stanford's policy "http://web.stanford.edu/group/security/securecomp= uting/ASP_security.html" Cheers --grish David D. Grisham David Grisham, Ph.D., CISM, CRISC Manager, IT Security, UNM Hospitals, IT Division Suite 3131, 933 Bradbury Drive, SE Albuquerque, New Mexico 87106 Ph: (505) 272-5657<tel:%28505%29%20272-5657> Department FAX 272-7143, Desk Fax 272-9927 Work email: dgrisham () salud unm edu<mailto:dgrisham () salud unm edu> --_000_140570893262384870dmdukeedu_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none"><!-- p { margin-top: 0px; m= argin-bottom: 0px; }--></style> </head> <body dir=3D"ltr"> <div id=3D"OWAFontStyleDivID" style=3D"font-size:12pt;color:#333333;backgro= und-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> <p>​Likewise, at Duke Medicine we go through a du= e diligence process to understand the IT-related risks of doing busine= ss with a Business Associate or other vendor, which then dictates what= security controls we document as part of a data security agreement exhibit in our contracts. In cases where sensitive data is going to be sto= red, processed, or transmitted in a material fashion by the vendor, one of = those controls is that the vendor is required to have a third party se= curity audit against an accepted industry standard (e.g. SSAE-16 SOC 2, ISO 27001/27002, NIST 800-53, HITRUST C= SF) conducted on an annual basis. We also reserve the right to have the ven= dor share the results of the audit with us, at minimum in the form of an en= gagement letter from the auditor that summarizes their methodology and findings.​<br> </p> <p><br> </p> <p>Chuck<br> </p> <div> <p><br> </p> <p><br> </p> <div name=3D"divtagdefaultwrapper" style=3D"font-family:Calibri,Arial,Helve= tica,sans-serif; font-size:; margin:0"> <div> <div><font color=3D"#999999">________________________________________</font=
</div>
<div><font color=3D"#999999">Chuck Kesler, MBA, CISSP, CISM, PMP</font></di= v> <div><font color=3D"#999999">Chief Information Security Officer</font></div=
<div><font color=3D"#999999">Duke Medicine</font></div> <div><font color=3D"#999999">Email: chuck.kesler () dm duke edu</font></div> <div><font color=3D"#999999">Office: 919-668-0518</font></div> </div> </div> </div> <div style=3D"color: rgb(33, 33, 33);"> <hr tabindex=3D"-1" style=3D"display:inline-block; width:98%"> <div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" co= lor=3D"#000000" style=3D"font-size:11pt"><b>From:</b> The EDUCAUSE Security= Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behal= f of Sol Bermann <solb () UMICH EDU><br> <b>Sent:</b> Friday, July 18, 2014 1:40 PM<br> <b>To:</b> SECURITY () LISTSERV EDUCAUSE EDU<br> <b>Subject:</b> Re: [SECURITY] Risk analysis And Vendor Management</font> <div> </div> </div> <div> <div dir=3D"ltr">We require 3rd-party assessments for service providers whe= n sensitive data is involved</div> <div class=3D"gmail_extra"><br clear=3D"all"> <div> <div dir=3D"ltr"> <div>Sol Bermann</div> <div>Interim University of Michigan Chief Information Security Officer</div=
<div><span style=3D"font-family:arial; font-size:small">Privacy Officer and= IT Policy, Compliance and Enterprise Continuity Strategist</span><br> </div> <div>ITS - Information & Infrastructure Assurance </div> <div>University of Michigan </div> <div> </div> <div>734/615-9661</div> <div><a href=3D"mailto:solb () umich edu" target=3D"_blank">solb () umich edu</a>= </div> <div> </div> <div> </div> </div> </div> <br> <br> <div class=3D"gmail_quote">On Fri, Jul 18, 2014 at 1:33 PM, David Grisham <= span dir=3D"ltr"> <<a href=3D"mailto:Dgrisham () salud unm edu" target=3D"_blank">Dgrisham@sa= lud.unm.edu</a>></span> wrote:<br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex; border-left:1= px #ccc solid; padding-left:1ex"> We require our business Associates and other vendors to supply information = on systems, applications, databases, medical devices, etc. That way we can = do a risk analysis and document controls that are in place by the vendor as= well as what we need to do to mitigate where controls are ineffective or absent.<br> But we're getting some internal feedback that this is not a standard practi= ce.<br> --One of the big issues is HIPAA/HITECH requiring assurances of security co= ntrols. I have found Stanford to have an excellent policy on vendor managem= ent.<br> -- Is there anybody else out there who requires third-party assessments whe= n confidential/ePHI/PII data is involved? Especially if it's outsourced?<br=
To see Stanford's policy "<a href=3D"http://web.stanford.edu/group/sec= urity/securecomputing/ASP_security.html" target=3D"_blank">http://web.stanf= ord.edu/group/security/securecomputing/ASP_security.html</a>"<br> Cheers --grish<br> David D. Grisham<br> David Grisham, Ph.D., CISM, CRISC<br> Manager, IT Security,<br> UNM Hospitals, IT Division<br> Suite 3131, 933 Bradbury Drive, SE Albuquerque, New Mexico 87106<br> Ph: <a href=3D"tel:%28505%29%20272-5657" value=3D"+15052725657">(505) 2= 72-5657</a><br> Department FAX 272-7143, Desk Fax 272-9927<br> Work email: <a href=3D"mailto:dgrisham () salud unm edu">dgrisham@salud.= unm.edu</a><br> </blockquote> </div> <br> </div> </div> </div> </div> </body> </html> --_000_140570893262384870dmdukeedu_--
Current thread:
- Reorganizing for security team Theresa Rowe (Jul 18)
- Re: Reorganizing for security team Nevin, David (Jul 18)
- Re: Reorganizing for security team Sol Bermann (Jul 18)
- Re: Reorganizing for security team Matt Morton (Jul 21)
- Re: Reorganizing for security team Sol Bermann (Jul 18)
- Risk analysis And Vendor Management David Grisham (Jul 18)
- Re: Risk analysis And Vendor Management Roger A Safian (Jul 18)
- Re: Risk analysis And Vendor Management Sol Bermann (Jul 18)
- Re: Risk analysis And Vendor Management Chuck Kesler (Jul 18)
- Re: Risk analysis And Vendor Management Renee Peters (Jul 18)
- Re: Risk analysis And Vendor Management Chuck Kesler (Jul 18)
- Re: Reorganizing for security team Nevin, David (Jul 18)