Educause Security Discussion
mailing list archives
Re: Risk analysis And Vendor Management
From: Chuck Kesler <chuck.kesler () DUKE EDU>
Date: Fri, 18 Jul 2014 19:14:02 +0000
(Not quite sure what happened to the formatting in my previous reply, so trying again in hopes that this is more
Likewise, at Duke Medicine we go through a due diligence process to understand the IT-related risks of doing business
with a Business Associate or other vendor, which then dictates what security controls we document as part of a data
security agreement exhibit in our contracts. In cases where sensitive data is going to be stored, processed, or
transmitted in a material fashion by the vendor, one of those controls is that the vendor is required to have a third
party security audit against an accepted industry standard (e.g. SSAE-16 SOC 2, ISO 27001/27002, NIST 800-53, HITRUST
CSF) conducted on an annual basis. We also reserve the right to have the vendor share the results of the audit with us,
at minimum in the form of an engagement letter from the auditor that summarizes their methodology and findings.
Chuck Kesler, MBA, CISSP, CISM, PMP
Chief Information Security Officer
Email: chuck.kesler () dm duke edu<mailto:chuck.kesler () dm duke edu>
From: Sol Bermann <solb () UMICH EDU<mailto:solb () UMICH EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY ()
LISTSERV EDUCAUSE EDU>>
Date: Friday, July 18, 2014 1:40 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Risk analysis And Vendor Management
We require 3rd-party assessments for service providers when sensitive data is involved
Interim University of Michigan Chief Information Security Officer
Privacy Officer and IT Policy, Compliance and Enterprise Continuity Strategist
ITS - Information & Infrastructure Assurance
University of Michigan
solb () umich edu<mailto:solb () umich edu>
On Fri, Jul 18, 2014 at 1:33 PM, David Grisham <Dgrisham () salud unm edu<mailto:Dgrisham () salud unm edu>> wrote:
We require our business Associates and other vendors to supply information on systems, applications, databases, medical
devices, etc. That way we can do a risk analysis and document controls that are in place by the vendor as well as what
we need to do to mitigate where controls are ineffective or absent.
But we're getting some internal feedback that this is not a standard practice.
--One of the big issues is HIPAA/HITECH requiring assurances of security controls. I have found Stanford to have an
excellent policy on vendor management.
-- Is there anybody else out there who requires third-party assessments when confidential/ePHI/PII data is involved?
Especially if it's outsourced?
To see Stanford's policy "http://web.stanford.edu/group/security/securecomputing/ASP_security.html"
David D. Grisham
David Grisham, Ph.D., CISM, CRISC
Manager, IT Security,
UNM Hospitals, IT Division
Suite 3131, 933 Bradbury Drive, SE Albuquerque, New Mexico 87106
Ph: (505) 272-5657<tel:%28505%29%20272-5657>
Department FAX 272-7143, Desk Fax 272-9927
Work email: dgrisham () salud unm edu<mailto:dgrisham () salud unm edu>