Educause Security Discussion mailing list archives
Re: Risk analysis And Vendor Management
From: Chuck Kesler <chuck.kesler () DUKE EDU>
Date: Fri, 18 Jul 2014 19:14:02 +0000
(Not quite sure what happened to the formatting in my previous reply, so trying again in hopes that this is more readable...) Likewise, at Duke Medicine we go through a due diligence process to understand the IT-related risks of doing business with a Business Associate or other vendor, which then dictates what security controls we document as part of a data security agreement exhibit in our contracts. In cases where sensitive data is going to be stored, processed, or transmitted in a material fashion by the vendor, one of those controls is that the vendor is required to have a third party security audit against an accepted industry standard (e.g. SSAE-16 SOC 2, ISO 27001/27002, NIST 800-53, HITRUST CSF) conducted on an annual basis. We also reserve the right to have the vendor share the results of the audit with us, at minimum in the form of an engagement letter from the auditor that summarizes their methodology and findings. Chuck ___________________________________ Chuck Kesler, MBA, CISSP, CISM, PMP Chief Information Security Officer Duke Medicine Email: chuck.kesler () dm duke edu<mailto:chuck.kesler () dm duke edu> Office: 919-668-0518 From: Sol Bermann <solb () UMICH EDU<mailto:solb () UMICH EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Friday, July 18, 2014 1:40 PM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Risk analysis And Vendor Management We require 3rd-party assessments for service providers when sensitive data is involved Sol Bermann Interim University of Michigan Chief Information Security Officer Privacy Officer and IT Policy, Compliance and Enterprise Continuity Strategist ITS - Information & Infrastructure Assurance University of Michigan 734/615-9661 solb () umich edu<mailto:solb () umich edu> On Fri, Jul 18, 2014 at 1:33 PM, David Grisham <Dgrisham () salud unm edu<mailto:Dgrisham () salud unm edu>> wrote: We require our business Associates and other vendors to supply information on systems, applications, databases, medical devices, etc. That way we can do a risk analysis and document controls that are in place by the vendor as well as what we need to do to mitigate where controls are ineffective or absent. But we're getting some internal feedback that this is not a standard practice. --One of the big issues is HIPAA/HITECH requiring assurances of security controls. I have found Stanford to have an excellent policy on vendor management. -- Is there anybody else out there who requires third-party assessments when confidential/ePHI/PII data is involved? Especially if it's outsourced? To see Stanford's policy "http://web.stanford.edu/group/security/securecomputing/ASP_security.html" Cheers --grish David D. Grisham David Grisham, Ph.D., CISM, CRISC Manager, IT Security, UNM Hospitals, IT Division Suite 3131, 933 Bradbury Drive, SE Albuquerque, New Mexico 87106 Ph: (505) 272-5657<tel:%28505%29%20272-5657> Department FAX 272-7143, Desk Fax 272-9927 Work email: dgrisham () salud unm edu<mailto:dgrisham () salud unm edu>
Current thread:
- Reorganizing for security team Theresa Rowe (Jul 18)
- Re: Reorganizing for security team Nevin, David (Jul 18)
- Re: Reorganizing for security team Sol Bermann (Jul 18)
- Re: Reorganizing for security team Matt Morton (Jul 21)
- Re: Reorganizing for security team Sol Bermann (Jul 18)
- Risk analysis And Vendor Management David Grisham (Jul 18)
- Re: Risk analysis And Vendor Management Roger A Safian (Jul 18)
- Re: Risk analysis And Vendor Management Sol Bermann (Jul 18)
- Re: Risk analysis And Vendor Management Chuck Kesler (Jul 18)
- Re: Risk analysis And Vendor Management Renee Peters (Jul 18)
- Re: Risk analysis And Vendor Management Chuck Kesler (Jul 18)
- Re: Reorganizing for security team Nevin, David (Jul 18)