HITRUST, a leading data protection standards development and certification organization, announced a major release of its HITRUST Third-Party Risk Management (“TPRM”) Methodology that introduces numerous new components including an Inherent Risk Questionnaire, Rapid Assessment, and Trust Score.
Also announced today are enhancements to the HITRUST Assessment XChange (the “Xchange”) Manager platform to fully integrate the TPRM Methodology. This enables the XChange Manager platform to automate the TPRM process from the vendor qualification through the organization’s management of its vendors’ risks.
Further, by bringing the methodology and technology platform together, HITRUST is simplifying the deployment and operationalization of the process organizations use to qualify a third party for a business relationship and provide a common approach that can be used across industries to drive efficient and effective third-party risk management.
“Representing an organization with over a hundred thousand business partners, the alignment of the HITRUST TPRM Methodology provides a significant step forward for any organization that wants to address the inconsistencies, inefficiencies, ineffectiveness, and high costs of their current approach to TPRM and third-party assurance,” said Taylor Lehmann, vice president and CISO, Athena Health, “We need more ‘win-win’ opportunities for organizations and their third parties like this and this gets us a lot closer.”
Today there is no consistent way to determine what information security, privacy, and compliance risk assurances should be provided and maintained when an organization shares sensitive information with a third party, including vendors, suppliers, and business partners.
This creates inconsistencies when organizations seek assurances from their third parties, which can be higher than warranted for risk or regulatory compliance requirements, or lower than warranted for exposing organizations themselves to more risk than intended.
Implementation of the HITRUST TPRM methodology solves this issue by incorporating greater oversight early in the vendor selection process in support of informed decision-making, determining an acceptable level of risk, and reducing the likelihood of vulnerabilities being interjected into an organization’s environment.
This is done by determining how much information security and individual privacy risk a vendor poses and developing strategies to reduce the likelihood and impact of a potential breach before a breach occurs.
The new release of the HITRUST TPRM Qualification Methodology expands on HITRUST’s popular Risk Triage Methodology with a six-step qualification process that provides organizations a comprehensive approach to defining inherent risk factors: 1. Pre-Qualification, 2. Risk Triage, 3. Risk Assessment, 4. Risk Mitigation, 5. Risk Evaluation and 6. Qualification Decision.
The Inherent Risk Questionnaire
A new questionnaire used to support risk triage by collecting information on a common set of inherent risk factors—independent of the security and privacy controls that may or may not be implemented by a vendor—to assess the inherent risk of an existing or proposed business relationship and determine an appropriate mechanism for the assurances it needs at a reasonable cost.
The assurance recommendations also help organizations ensure the remaining residual risk (after controls are applied) does not exceed the organization’s risk tolerance. The Inherent Risk Questionnaire can be implemented and customized through the XChange.
The HITRUST CSF Rapid Assessment
A new “pre-qualifying” self-attested assessment to quickly vet the security posture of any vendor and that can be answered in a minimal amount of time by the vendor.
The HITRUST CSF Rapid Assessment (the “Rapid Assessment”) was designed to support a quick evaluation of an organization’s security posture by selecting specific ‘good security hygiene’ practices from the HITRUST CSF that are suitable for any organization regardless of size or industry.
The requirements are based on HITRUST’s prior work on small business security and privacy programs and assessments, along with recommended security practices from NIST and the U.S. Small Business Administration (SBA).
The Rapid Assessment is industry and framework agnostic, and the data can be leveraged to populate a readiness (previously named “Self-Assessment,” the next level in the assessment process) or Validated Assessment (for potential HITRUST CSF Certification) eliminating duplicate entries and reducing inefficiencies.
The Rapid Assessment will be implemented through the HITRUST MyCSF and the XChange.
The HITRUST Trust Score
A new measure that supports third-party assurance by comparing the results of a HITRUST CSF Readiness Assessment with the results of a HITRUST CSF Validated Assessment generated later in the qualification process.
The Trust Score helps encourage accurate self-assessments and provides another useful data point in an organization’s evaluation of a vendor’s information protection program and the overall trustworthiness of a third party and confidence in the assurances provided. The HITRUST Trust Score will be implemented through the XChange.
“Organizations often struggle to leverage their existing technology because they lack an underlying risk management methodology to support it.
“HITRUST is changing the way organizations look at third-party risk by providing both of these elements in a standardized and automated approach that benefits the entire supply chain,” said Dr. Bryan Cline, Chief Research Officer, HITRUST.