Has Leaf been subject to an IT Security Risk Assessment? #439
Replies: 3 comments 3 replies
-
|
Hi @artgoldberg, Leaf was subject to an IT Security review at UW Medicine back in 2017 or so (before we went into production), if I recall correctly. However we weren't provided much information beyond that it was determined to be secure and compliant according to UW's needs, and I'm doubtful we'd be able to find much of the original documentation at this point. This brings up a great point, and it would be nice if we had the results of a security review we can readily share. However we do not have that right now, unfortunately. |
Beta Was this translation helpful? Give feedback.
-
|
I'm hoping we can get an automated vulnerability assessment done at NU as well. This raises a good question too for @ndobb - if there are any vulnerabilities detected, what is your preferred method to have them reported? |
Beta Was this translation helpful? Give feedback.
-
|
That sounds great, @Irasmus. If any vulnerabilities are detected for now please send to my email at [email protected]. If we need to communicate those to other sites (depending on the nature of the vulnerability) I'd prefer to do so privately if possible. |
Beta Was this translation helpful? Give feedback.
-
|
I'll be writing a risk assessment using our template at Compass / CU and I'm happy to share what I have via encrypted email. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks Eddie We completed and passed an IT Security Risk Assessment earlier this year. My colleagues handled it. Thus, I appreciate your offer but don't think we'll need your risk assessment. If you're interested in looking at ours, I'm happy to investigate whether I can share it with you. Regards |
Beta Was this translation helpful? Give feedback.
-
|
Thanks Art,
I might be interesting to see how the two risk assessments compare -- I will let you know if we’d like to see that.
Best,
Eddie
Eddie Williams, M.H., M.Ed.
Technical Project Manager, Health Data Compass, Colorado Center for Personalized Medicine
University of Colorado Anschutz Medical Campus
E: ***@***.******@***.***> | C: 303.653.3909
www.cuanschutz.edu<https://www.cuanschutz.edu/>
[CU Anschutz Website]<https://www.cuanschutz.edu/>
From: Arthur P Goldberg ***@***.***>
Date: Friday, May 20, 2022 at 9:27 AM
To: uwrit/leaf ***@***.***>
Cc: Williams, Edward ***@***.***>, Comment ***@***.***>
Subject: Re: [uwrit/leaf] Has Leaf been subject to an IT Security Risk Assessment? (Discussion #439)
[External Email - Use Caution]
Thanks Eddie
We completed and passed an IT Security Risk Assessment earlier this year. My colleagues handled it. Thus, I appreciate your offer but don't think we'll need your risk assessment.
If you're interested in looking at ours, I'm happy to investigate whether I can share it with you.
Regards
Arthur
—
Reply to this email directly, view it on GitHub<#439 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXP24VMRCIOOTZQ6C2GG5TLVK6VNTANCNFSM5A4OEG4Q>.
You are receiving this because you commented.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Hello Leaf folks
I've learned that our IT Security department will likely want to conduct an IT Security Risk Assessment of our deployment of Leaf. If so, it will be an intensive and time-consuming process. They will enquire about Leaf's compliance with a wide range of security standards and technologies. The questionnaire is based on NIST 800-171, with HIPAA and DLP questions.
I know, of course, that Leaf is architected with security in mind and carefully employs well-regarded security mechanisms, such as SAML2 authentication and authorization.
Handling a Security Risk Assessment can nonetheless be time-consuming and difficult. Do you know whether Leaf been subject to an IT Security Risk Assessment? And, if so, what were the results, and, could documents and diagrams from the process be shared and reused?
Thanks
Arthur
Beta Was this translation helpful? Give feedback.
All reactions