How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?
While useful, the approach used to obtain reputational scores like Security Scorecard and Bitsight is limited (similar to a narrowly scoped external penetration test) and is arguably unique for each organization’s network. It is further recognized that each scorecard vendor uses a proprietary approach to collecting data as well as proprietary analytics when computing the scores or ratings. In addition to the challenges inherent in their opacity, any changes to these proprietary approaches can change an organization’s score, sometimes dramatically, when there has been no discernable change in their actual security posture.* This is because the type of evidence collected for these scorecards is circumstantial and statements made about the actual state of the organization’s security posture must be inferred rather than directly observed.
Simply put, security scorecards cannot replace the level of assurance provided by a thorough assessment of an organization’s information protection program, including its overall approach to risk and risk management as well as detailed reviews of its privacy and security controls.