Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Risk analysis And Vendor Management
From: Chuck Kesler <chuck.kesler () DUKE EDU>
Date: Fri, 18 Jul 2014 19:14:02 +0000

(Not quite sure what happened to the formatting in my previous reply, so trying again in hopes that this is more 

Likewise, at Duke Medicine we go through a due diligence process to understand the IT-related risks of doing business 
with a Business Associate or other vendor, which then dictates what security controls we document as part of a data 
security agreement exhibit in our contracts. In cases where sensitive data is going to be stored, processed, or 
transmitted in a material fashion by the vendor, one of those controls is that the vendor is required to have a third 
party security audit against an accepted industry standard (e.g. SSAE-16 SOC 2, ISO 27001/27002, NIST 800-53, HITRUST 
CSF) conducted on an annual basis. We also reserve the right to have the vendor share the results of the audit with us, 
at minimum in the form of an engagement letter from the auditor that summarizes their methodology and findings.‚Äč



Chuck Kesler, MBA, CISSP, CISM, PMP

Chief Information Security Officer

Duke Medicine

Email: chuck.kesler () dm duke edu<mailto:chuck.kesler () dm duke edu>

Office: 919-668-0518

From: Sol Bermann <solb () UMICH EDU<mailto:solb () UMICH EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
Date: Friday, July 18, 2014 1:40 PM
Subject: Re: [SECURITY] Risk analysis And Vendor Management

We require 3rd-party assessments for service providers when sensitive data is involved

Sol Bermann
Interim University of Michigan Chief Information Security Officer
Privacy Officer and IT Policy, Compliance and Enterprise Continuity Strategist
ITS - Information & Infrastructure Assurance
University of Michigan

solb () umich edu<mailto:solb () umich edu>

On Fri, Jul 18, 2014 at 1:33 PM, David Grisham <Dgrisham () salud unm edu<mailto:Dgrisham () salud unm edu>> wrote:
We require our business Associates and other vendors to supply information on systems, applications, databases, medical 
devices, etc. That way we can do a risk analysis and document controls that are in place by the vendor as well as what 
we need to do to mitigate where controls are ineffective or absent.
But we're getting some internal feedback that this is not a standard practice.
--One of the big issues is HIPAA/HITECH requiring assurances of security controls. I have found Stanford to have an 
excellent policy on vendor management.
-- Is there anybody else out there who requires third-party assessments when confidential/ePHI/PII data is involved? 
Especially if it's outsourced?
To see Stanford's policy "http://web.stanford.edu/group/security/securecomputing/ASP_security.html";
Cheers --grish
David D. Grisham
David Grisham, Ph.D.,  CISM, CRISC
Manager, IT Security,
UNM Hospitals, IT Division
Suite 3131, 933 Bradbury Drive, SE  Albuquerque, New Mexico 87106
Ph: (505) 272-5657<tel:%28505%29%20272-5657>
Department FAX 272-7143, Desk Fax 272-9927
Work email:  dgrisham () salud unm edu<mailto:dgrisham () salud unm edu>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]