Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?
HITRUST provides a common approach to triaging vendor risk by identifying the means and rigor of the assurances needed from a vendor based on the inherent information-related risks of a proposed or existing business relationship. This includes the information security and privacy controls specified for the vendor as well as the maturity scores required for an acceptable level of assurance.
As shown in the table above, the HITRUST risk triage approach provides (1) specific organizational, compliance and technical factors that help identify the type and amount of inherent risk the business relationship with the vendor poses; (2) a simple risk scoring model to help quantify the risk; and (3) specific recommendations for the type and rigor of the assessment and the maturity of the organization’s information protection.
By providing a common set of risk factors independent of the security and privacy controls that may or may not implemented by a third party, an organization can readily assess inherent risk and determine a reasonable and appropriate mechanism for the assurances it needs at a reasonable cost. Broad adoption will also significantly reduce costs for any third party that needs to provide assurances to multiple customers or business partners.