Educause Security Discussion
mailing list archives
Re: Risk analysis And Vendor Management
From: Renee Peters <renee () NORTHEAST EDU>
Date: Fri, 18 Jul 2014 18:01:08 +0000
We require a 3rd party security assessment for all external partners that will be accessing our internal systems or
Director of Technology Risk & Service Management
Northeast Community College
Renee Peters Director of Technology Risk & Service Management
402-844-7072 | renee () northeast edu | fax 402-844-7400
801 E. BENJAMIN AVE. | PO BOX 469 | NORFOLK, NE 68702
402-371-2020 800-348-9033 FAX 402-844-7400
This email and any files transmitted with it are confidential and solely for the use of the intended recipient(s). If
you have received this email in error, please notify the sender immediately by email and delete this email from your
system. Please note that any views or opinions presented in this email are solely those of the author and do not
necessarily represent those of the College. The recipient should check this email and any attachments for the presence
of viruses. The College accepts no liability for any damage caused by any virus transmitted by this email.
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David
Sent: Friday, July 18, 2014 12:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Risk analysis And Vendor Management
We require our business Associates and other vendors to supply information on systems, applications, databases, medical
devices, etc. That way we can do a risk analysis and document controls that are in place by the vendor as well as what
we need to do to mitigate where controls are ineffective or absent.
But we're getting some internal feedback that this is not a standard practice.
--One of the big issues is HIPAA/HITECH requiring assurances of security controls. I have found Stanford to have an
excellent policy on vendor management.
-- Is there anybody else out there who requires third-party assessments when confidential/ePHI/PII data is involved?
Especially if it's outsourced?
To see Stanford's policy "http://web.stanford.edu/group/security/securecomputing/ASP_security.html"
David D. Grisham
David Grisham, Ph.D., CISM, CRISC
Manager, IT Security,
UNM Hospitals, IT Division
Suite 3131, 933 Bradbury Drive, SE Albuquerque, New Mexico 87106
Ph: (505) 272-5657
Department FAX 272-7143, Desk Fax 272-9927 Work email: dgrisham () salud unm edu