Cybersecurity is only as strong as the security of an organization's vendors. Randall Frietzsche, chief information security officer (CISO) of Denver Health, a level one trauma center in Denver, has his organization's information security assessments down to a science. On today’s show, Randall joins Change Healthcare’s John Zuziak to share how Denver Health conducts security assessments, and how Randall's team assesses new vendors and monitors for vulnerabilities.
Today's panel: John Zuziak, Change Healthcare's Security and IT Risk Management Practice director; and Randall “Fritz” Frietzsche, MS, CISSP, CHPC, C|EH, C|HFI, ISSA distinguished fellow, and enterprise chief information security officer (CISO) at Denver Health, Denver, Colo.
Here’s what they talked about:
- Frameworks for building security programs and assessments
- Assessing security risk with third-party vendors
- Creating a risk management policy
- Conducting risk stratification analysis
- Assigning risk tiers to third-party vendors
- Keeping an eye on control gaps
- Bucketing risks: financial, reputational, patient safety
- Addressing vendors’ security gaps
- Allowing for exceptions to the rules
- The security check as part of the purchasing workflow
- Top 10 security control objectives in every contract
- The annual third-party review