Introduces Cyber Hygiene Assessment and 3rd Party Risk Management Playbook
November 14, 2022 – Frisco, Texas, and Las Vegas – HITRUST is announcing resources that address national cyber and information security priorities identified by government agencies, legislators, and industry. First, the need for an effective set of cyber hygiene controls and mitigations (applicable to smaller organizations) that remain relevant to evolving cyber threats, and a reliable method to demonstrate that organizations have appropriately implemented those controls. Additionally, a standardized, effective, and practical methodology for organizations to determine the inherent risk posed by third parties and recommend an appropriate level of assurances to enable effective evaluation of the controls in operation by the third party – establishing a level of due care for third-party risk management.
“HITRUST’s Innovation and Research teams were tasked with designing practical and effective solutions to solve these national cyber and information risk priorities,” said Robert Booker, Chief Strategy Officer, HITRUST. “I am proud of what was developed as it addresses these crucial issues and will have a significant impact on reducing information risk across companies of all sizes, among those with different inherent risk characteristics, and across their community of suppliers and other associates.”
New Cyber Essentials Assessment
This cyber essentials assessment was designed to meet several unique requirements. It had to:
- Provide a readiness (self) assessment or validated assessment with certification.
- Incorporate controls necessary for relevant and essential information and cyber security, including controls and mitigations associated with current and emerging cyber threats.
- Maintain control relevance as the cyber threat landscape evolves and, if warranted, electronically notify assessed entities of potentially relevant changes in control guidance and mitigations, enabling them to evaluate the current effectiveness of a specific control implementation.
- Incorporate an assurance program that ensures rely-ability of the results, while not being burdensome on the assessed entity to complete.
- Enable the results to be distributed in an electronically consumable manner instead of distributing as a PDF report.
To achieve these unique design requirements, the new Cyber Essentials Assessment leverages HITRUST’s (recently announced) Cyber Threat Adaptive approach to framework development and control selection, which ensures ongoing relevance of controls as the threat landscape evolves by frequently evaluating current Indicators of Attack (IoA) and Compromise (IoC) against security controls and mitigations associated with a cyber hygiene and essential level of assurance.
This third assessment in the HITRUST Assessment portfolio allows HITRUST to offer assessment coverage across a broad spectrum of assurance needs. It targets lower-risk organizations as defined in the new HITRUST TPRM methodology or can be a starting point for organizations that may be early in implementing their information security controls. The Cyber Essentials Assessment will be available in January 2023.
“There is no question that available assessments being used to evaluate basic cyber hygiene, be it questionnaire or proprietary assessments, are lacking in control selection and relevance,” said Omar Khawaja, vice president and chief information security officer (CISO) for Highmark Health. “Having a cyber hygiene assessment, that is kept relevant, with a commensurate level of effort to complete and incorporates HITRUST quality and consistency is a huge win in reducing breaches.”
Quick-Start Guide to HITRUST TPRM Implementation
Third-party risk management (TPRM), for those who rely on assurances and/or those who must provide them, can be made more efficient and effective through a standardized approach to triaging third parties based on specific inherent risk factors and selecting an assessment that provides a level of assurance appropriate to the risk they pose.
This Quick-Start Guide is designed to help organizations implement the information security-related components of a comprehensive third-party risk management program. It is designed to:
- Simplify and streamline usage of the recently updated HITRUST TPRM Methodology.
- Distill the broader methodology and its related formulas to a clear set of actionable steps.
- Provide clear guidance and recommendations on how to compute inherent risk, classify vendors, select the appropriate level of third-party assurance.
- Summarize alternative approaches to satisfy requirements while allowing organizations to understand and specify risk levels and tolerances.
- Provide links to additional reference material for further education on the concepts covered.
The Quick-Start Guide and TPRM Methodology incorporate the recently released (patent pending) HITRUST Assurance Rely-ability Maturity Model (ARMM), which is a unique methodology that objectively scores the rely-ability of an assurance method based on its specific features and pairs an appropriate assurance method for a third party based on its inherent risk to the relying party (via the inherent risk score computed during triage).
“It is key that organizations understand the inherent risk vendors pose and are able to obtain a reliable evaluation of the information risk in a way that is efficient for the third party,” said Brenda Callaway, divisional vice president, Information Security Risk Management, HCSC. “HITRUST’s new TPRM methodology and additional assessment options provide the important tools to better manage third-party risk.”
Results Distribution System (RDS) Enhancements
HITRUST is announcing enhancements to its Results Distribution System to streamline integration with TPRM solutions.
New API enhancements in the HITRUST Results Distribution System will make it easier for relying parties to integrate RDS into their TPRM solution. By leveraging RDS API, organizations can receive HITRUST assessment results electronically, whereby reducing the time and effort of tracking down, and inputting results into their TPRM solutions. In most cases today, organizations are manually only entering key result information into their TPRM solutions, which doesn’t allow for vendor-specific or population analysis. RDS enables detailed assessment results to be captured and used for vendor and vendor population analysis and automates the receipt of updated assessment information, such as corrected action plans.
“As a leader in managed TPRM services, we understand the challenges organizations face and limitations that exist today in managing third-party risk,” said Cliff Baker, CEO, CORL Technologies. “Having a comprehensive risk triage approach that can be widely adopted, and a low, medium, and high assessment portfolio, all capable of delivering results electronically into our managed TPRM solution, will enable more efficient and effective third-party risk management for our customers and the industry.”
The Quick-Start Guide to HITRUST TPRM Implementation is available here: TPRM Playbook
For details on the HITRUST TPRM Approach and other HITRUST assurances, visit the HITRUST website.
See us at the HLTH Conference – Booth v-521.