By Monique Henderson, Director of Third-Party Risk Management, HITRUST
Every organization has multiple processes scattered throughout every department to manage workflows and make them more repeatable. Inescapably—over time, these processes, procedures, and workflows become antiquated and unwieldy.
For example, years ago, everyone was used to paying highway tolls manually by following the existing process of throwing coins in the bucket. And we were good at it! We allowed extra time in our daily commutes for paying tolls along the way. We had change holders in our cars with quarters, dimes, and nickels, so we did not have to wait in the slower line to change out dollar bills for coins.
We got used to the process. Eventually, someone thought, “there’s got to be a better way to pay tolls!” This thinking led to the innovation of the digital toll tag and open road, overhead toll readers.
We’re All Tired of Inefficient Processes for Sharing and Consuming Information Protection Assurances
For organizations needing to share their data security results, the newer approach to managing tolls offers an example of how technology can transform an existing process to similarly add efficiency into managing vendor IT security assurances, much like the introduction of toll tags and overhead readers did for paying highway tolls. For years, businesses have exchanged reports by emailing PDFs to each other, manually receiving and processing one security and privacy assessment at a time. The existing process to obtain, interpret, and analyze vendor IT security and privacy assessment results is outdated for both assessed entities and their relying parties. It’s highly inefficient and time-consuming, which makes it extremely difficult to effectively monitor and manage vendors.
That’s because companies vetting vendor security risk are typically using an approach similar to the clunky old toll analogy of throwing coins into the bucket—by asking new vendors to answer lengthy, manual questionnaires as they try to navigate past the onboarding booth. Or requiring current vendors to provide annual assurance reports, which equates to relying on the toll attendant to make change and let them pass through. In addition to taking up valuable time from the vendor IT teams, it takes the companies requesting questionnaires and reports countless hours to receive vendor assurances and manually enter data into tracking spreadsheets or TPRM systems. Plus, since all the coins don’t always end up in the bucket; relying parties often must “honk their horns” to get their questions answered in a timely manner.
Under the current system of exchanging PDFs, once assessments are complete and received, then the relying party is forced to manually evaluate the scope and scoring of the security controls deployed by their vendors to determine third-party risk. Next, the organization must upload the report into a vendor risk management system and then repeat the process annually with every vendor—often at different times of the year, with different scopes, and different results. Today, it is difficult to effectively evaluate and manage vendor risk when there is little automation or analytics capabilities to rely upon.
In addition to the resources required to collect and manage the minimal information collected by questionnaires and reports, there’s also a huge opportunity cost. The current time-consuming process often distracts risk managers from focusing on higher value vendor management activities to mitigate risk. Just think of what else those resources could be doing if they received assurance data more efficiently — flowing digitally into a vendor risk management platform rather than in the typical PDF format.
The HITRUST Results Distribution System (RDS) Addresses the Highly Inefficient Process of Obtaining, Interpreting, and Analyzing Third-Party Assessment Results
Finally, The HITRUST Results Distribution System: A Fundamental Change to Managing Assessment Results
Here at HITRUST, we thought, “there must be a better way.” This led to an innovation called the HITRUST Results Distribution System (RDS), which makes it possible for assessed entities to share their HITRUST Assessment results securely and electronically with designated relying parties who can seamlessly view key aspects of the assessment through the RDS portal or by using an API interface with their own TPRM solution.
When I was a Sr. Risk Advisor for a major health plan, I would receive huge PDF reports from the vendors we were trying to evaluate or on-board. It would take at least 1-2 hours per report to find the bare minimum information we needed. I also had to make sure the report was authentic and current. In some cases, the PDFs were copy-protected or password-protected, which meant I had to go back to the vendor to get access to the data and then pour through these lengthy reports to manually find, cut, and paste key information into our GRC tool. We had to do this for hundreds of vendors! The existing process is so tedious and time-consuming that we had to pay to outsource it. It was just too much for our team.
Now that I am at HITRUST, I am passionate about the value the RDS solution can bring to my old team and any organization focused on managing third-party risk. Not only because it drives efficiency, but also because it can:
- Reduce labor costs and enable risk managers to focus on higher-value activities
- Allow organizations to better understand, monitor, and track vendor gaps in real-time
- Allow relying parties to unleash analytics to make better business decisions faster
- Speed up the process of onboarding new vendors
Buckle Up, the High-Speed Lane Solution is Here!
There is no scenario where large PDFs should be manually distributed to share the important assessment results another organization needs. We are beyond that in the supply chain risk management profession and in the cyber security industry. Much like the efficiencies toll tag authorities implemented in the transportation industry, HITRUST is the only assurance program that can integrate and innovate technologies that improve the user experience in assurance sharing. Once organizations realize that they can get their vendor risk assessments delivered through the HITRUST Results Distribution System, they will wonder how they ever lived through the old process.
Can you imagine going back to the time of toll booths and pocket change?
As a sneak preview, coming from HITRUST in the second half of 2022: Look for additional RDS analytics and reporting capabilities as well as more API interface options.
For additional information about how RDS can help your organization efficiently manage your vendor security evaluation processes:
Contact a HITRUST Product Specialist
Call: 855-448-7878 or Email: firstname.lastname@example.org
About the Author
Monique Henderson, Director Third-Party Risk Management, HITRUST
Monique has more than 15 years of expertise in Third-Party Risk Management, Cybersecurity/Continuous Risk Monitoring, and Vendor Contract Negotiation. In past positions, Monique stood up entire GRC programs as well as matured existing TPRM functions. Monique serves as a TPRM consultant to HITRUST clients offering suggestions on how to best leverage HITRUST certifications throughout their vendor populations, as well as counsel on how to mature other TPRM functions. Monique holds a BS degree from North Carolina Wesleyan College.