Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Risk analysis And Vendor Management
From: Roger A Safian <r-safian () NORTHWESTERN EDU>
Date: Fri, 18 Jul 2014 17:39:21 +0000

We do, and it sounds like we have a similar program in place.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Grisham
Sent: Friday, July 18, 2014 12:33 PM
Subject: [SECURITY] Risk analysis And Vendor Management

We require our business Associates and other vendors to supply information
on systems, applications, databases, medical devices, etc. That way we can
do a risk analysis and document controls that are in place by the vendor as
well as what we need to do to mitigate where controls are ineffective or
But we're getting some internal feedback that this is not a standard practice.
--One of the big issues is HIPAA/HITECH requiring assurances of security
controls. I have found Stanford to have an excellent policy on vendor
-- Is there anybody else out there who requires third-party assessments
when confidential/ePHI/PII data is involved? Especially if it's outsourced?
To see Stanford's policy
Cheers --grish
David D. Grisham
David Grisham, Ph.D.,  CISM, CRISC
Manager, IT Security,
UNM Hospitals, IT Division
Suite 3131, 933 Bradbury Drive, SE  Albuquerque, New Mexico 87106
Ph: (505) 272-5657
Department FAX 272-7143, Desk Fax 272-9927 Work email:
dgrisham () salud unm edu

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]